Jayson Wonder Posted March 6, 2007 Share Posted March 6, 2007 Hi, I have installed this contrib for multiple admins: http://www.oscommerce.com/community/contributions,1174 and it is working fine. I also have the standard .htacess method still in place. Since I have the login method with the multi admin w/levels contrib installed can I shut off the .htaccess method so people do not have to log in twice? Is there any security risk create by removing this? Any advice is appreciated. I am quite confused with the .htacess method at this point as I cannot seem to add or remove users acess. I check all .htaccess documentation but cannot figure it out. I think it uses .php and or oscommerce database to authenticate, can anyone verify this? Thanks, Link to comment Share on other sites More sharing options...
davidinottawa Posted March 6, 2007 Share Posted March 6, 2007 Hi, I have installed this contrib for multiple admins: http://www.oscommerce.com/community/contributions,1174 and it is working fine. I also have the standard .htacess method still in place. Since I have the login method with the multi admin w/levels contrib installed can I shut off the .htaccess method so people do not have to log in twice? Is there any security risk create by removing this? Any advice is appreciated. I am quite confused with the .htacess method at this point as I cannot seem to add or remove users acess. I check all .htaccess documentation but cannot figure it out. I think it uses .php and or oscommerce database to authenticate, can anyone verify this? No - htaccess accesses a file named htpasswd. The htpasswd file is kept (usually) at the root or lower in your path. You need to generate a username and password, and dump it in your htpasswd file. Downlaod the .htaccess file under the admin directory. Open the file to see where the .htpasswd file is kept - then go download it. Generate a new set of credentials using this : http://home.flash.net/cgi-bin/pw.pl and dump the output into the .htpasswd file then re-uplaod the .htpasswd file. Or, your control panel with your host should be able to provide a 'Password Protected Directory' link david Link to comment Share on other sites More sharing options...
Jayson Wonder Posted March 7, 2007 Author Share Posted March 7, 2007 No - htaccess accesses a file named htpasswd.The htpasswd file is kept (usually) at the root or lower in your path. You need to generate a username and password, and dump it in your htpasswd file. Downlaod the .htaccess file under the admin directory. Open the file to see where the .htpasswd file is kept - then go download it. Generate a new set of credentials using this : http://home.flash.net/cgi-bin/pw.pl and dump the output into the .htpasswd file then re-uplaod the .htpasswd file. Or, your control panel with your host should be able to provide a 'Password Protected Directory' link david Thanks, I understand now. Any thoughts on the risks if any in removing the .htaccess on the admin diretory of the shop, since I have the Multi-Admin w Levels contrib installed, will this put me at any risk? Thanks! Link to comment Share on other sites More sharing options...
Guest Posted March 7, 2007 Share Posted March 7, 2007 Thanks, I understand now. Any thoughts on the risks if any in removing the .htaccess on the admin diretory of the shop, since I have the Multi-Admin w Levels contrib installed, will this put me at any risk? Thanks! yes it will put you at risk because the files beneath the admin folder will not be protected. So someone can run scripts directly from the sub-folders of the admin. Because the login mechanism of these contributions relies in the application_top.php. And of course we have plenty of files that are not using it (meaning not including it directly). Link to comment Share on other sites More sharing options...
Jayson Wonder Posted March 7, 2007 Author Share Posted March 7, 2007 yes it will put you at risk because the files beneath the admin folder will not be protected. So someone can run scripts directly from the sub-folders of the admin. Because the login mechanism of these contributions relies in the application_top.php. And of course we have plenty of files that are not using it (meaning not including it directly). Yes, I understand. Thanks for that clarification. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.