Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Htaccess Problem


Recommended Posts

No one seemed to see this question in the security topic so I'm posting here, I hope that's ok


I have changed my admin folder as described and applied password protection via cpanel but when I log onto my osc I get a message in administration saying:


Additional Protection With htaccess/htpasswd

This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.


The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:




Reload this page to confirm if the correct file permissions have been set.


????=my directories


When I look in the directories there is only a .htaccess file and no .htpasswd file


Any help anyone?


Link to comment
Share on other sites

Perhaps this will help. This is from my .htaccess admin file. Notice two things:

1. The path to the password file.

2. The path is outside of the internet (website) file to make it much harder for someone to access your password.


The password file could have another name but it should tell you where to find it

The .htpasswds is a folder outside of my web path.


AuthName "OS Commerce Administration"
AuthUserFile "/xxxx/xxxx/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user


To do a little research to help you understand a little better, enter the code below into google search engine.

site:www.oscommerce.com/forums [.htaccess admin password file]


Here is some comments by some qualified individuals from oscommerce community:


where to put .htpasswd file for admin .htaccess

Link to comment
Share on other sites

  • 2 months later...

One thing to note when using basic authentication, is that it has several weaknesses and where possible forms-based authentication should be used.


Basic authentication transmits login credentials over HTTP (not HTTPS), which opens up the potential for interception. In addition, credentials are encoded as base64, which is trivially decoded - thus if an attacker is able to intercept login requests, they will be able to determine the username and password and gain access to any directories protected with basic auth,


From a security perspective, it is much more secure to limit access to the admin directory to only known administrative IP addresses - rather than employing basic authentication.



James, Penetration Tester @_securatek


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...