Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Password Authentication - A How To


licensed2kill

Recommended Posts

Posted

I thought I'd post a clear guide as most of the guides I found on this issue are very vague.

 

This guide describes how to protect your Admin directory so strangers would not get into your osCommerce site and screw things up from the browser. This is a very abstract guide. You need to dig in more for further customization.

This is specific to the following, and could be different for other releases.

 

Installed on RedHat 8.0

osCommerece 2.2

Apache

 

Assumptions:

 

You've your osCommerece suite in;

 

/home/osC

 

You've your /admin directory in;

 

/home/osC/admin

 

################Steps#####################

 

 

1) Goto your /home/osC/admin directory which you want to password protect.

There should already be a file named ".htaccess". Edit it, if not create the file.

Add the following lines as shown below between the "*************":

 

Comments are in "//"

 

************************************************

AuthName MySecuredStuff //could be any name

AuthType Basic //authentication protocol type. Don't change it.

AuthUserFile /var/www/html/users //the file which holds the login/pw which is

//called 'users' conveniently here.

require user yourName //yourName is the login name.

 

*************************************************

 

2) Creating the login/pw.

 

Use the linux program "htpasswd" to create user login/pw pairs. See below for an example:

 

*************************************

htpasswd -c /var/www/html/users userName

 

*************************************

 

Here "-c" is for to create a new authentication file named "users" in the "/var/www/html/" path.

 

userName here is the user's name you're going to be using.

 

After pressing enter, you'll be prompted to enter your password. Enter your password. And verify it. The encrypted password is now saved in /var/www/html/users file which is relevant to LINE #3 from step #1.

 

The user name you created is relevant to LINE #4 from step #1

 

3) Changing the Permissions for the 'users' file. To make Apache (webserver) access your 'users' file which contains the login information, you need to change the permissions.

 

Issue the following commands.

 

*************************************

chmod o+r users

 

*************************************

 

or

*************************************

chown apache users

chmod u+r users

 

*************************************

 

4) No, we are not done yet. ;) Edit the "httpd.conf" file which should be located under the path "/etc/httpd/conf/httpd.conf".

 

Under your "Vitual Host" settings right under the appropriate domain look for the following lines between the ****************:

 

*************************************

<Directory "some entry" >

AllowOverride AuthConfig

/Directory>

 

*************************************

 

Here the "some entry" should be your path of your "admin" directory.

 

If you don't have an entry like above, and most of you won't, add it to look like this below:

 

*************************************

<Directory "/home/osC/admin" >

AllowOverride AuthConfig

/Directory>

 

*************************************

 

Make sure you add these entries under your domain name, and dont' forget the "AllowOverride AuthConfig" override variable. And of course, the path should reflect your own /admin path which is in between the quotes.

 

 

Give it a kick to Apache by restarting with;

 

*************************************

service apache reload

 

*************************************

 

And you're set. Now, for every session, you'll be prompted to enter your login info when trying to access the /admin directory on your web.

 

Feel free to add any comments if I've missed anything.

 

 

Jey

XOR Solutions Canada

  • 2 weeks later...
Posted

I believe I have done all of this, but password access is not work. It just comes up without challange.

I will move my password file after I get a challange response.

 

.htaccess

[root@otg-dss admin]# more .htaccess

AuthUserFile "/home/httpd/html/OTG-DSS/su/catalog/admin/passwd"

AuthName "Chapps Store Administration"

require ajpeters

Satisfy All

order deny,allow

 

passwd

test:$1$tA2.yp0.$1yPlmitZ0MQ1Vy2FK33qw1

ajpeters:$1$h.AzFIcz$GEMj2wsqiYroIPF.RZAw./

subuetz:$1$mIxBjcMY$SKptfooz8GNdwNefYVZ0t1

 

httpd.conf parts.

 

#

# Each directory to which Apache has access, can be configured with respect

# to which services and features are allowed and/or disabled in that

# directory (and its subdirectories).

#

# First, we configure the "default" to be a very restrictive set of

# permissions.

#

<Directory />

Options FollowSymLinks

AllowOverride

</Directory>

 

#

# Note that from this point forward you must specifically allow

# particular features to be enabled - so if something's not working as

# you might expect, make sure that you have specifically enabled it

# below.

#

 

#

# This should be changed to whatever you set DocumentRoot to.

#

<Directory "/home/httpd/html">

 

#

# This may also be "None", "All", or any combination of "Indexes",

# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".

#

# Note that "MultiViews" must be named *explicitly* --- "Options All"

# doesn't give it to you.

#

Options Indexes FollowSymLinks ExecCGI

 

#

# This controls which options the .htaccess files in directories can

# override. Can also be "All", or any combination of "Options", "FileInfo",

# "AuthConfig", and "Limit"

#

AllowOverride All

 

#

# Controls who can get stuff from this server.

#

Order allow,deny

Allow from all

</Directory>

.

.

.

.

.

.<VirtualHost 209.32.151.7>

DocumentRoot /home/httpd/html/OTG-DSS

ServerName OTG-DSS.COM

ServerAlias www.otg-dss.com

DirectoryIndex index.html index.htm default.html default.htm index.php

Alias /berkness /storage/httpd/html/BERKNESS

</VirtualHost>

<Directory "/home/httpd/html/OTG-DSS/su/catalog/admin" >

AllowOverride AuthConfig

</Directory>

 

 

Where do I look next?

<_<

Posted

I am on a Caldera eServer 2.3 running Apache 1.3.9.

 

Who do I check to see if I have auth mod turned on in my configuration? I have loaded an auth..so in my httpd.conf file.

Posted

I would never stray from using .htpasswd or some other .htusers or .htwhatever as a password file.

 

Seems like I remember there being something in Apache, some directive or something built in, that handles anything ".ht" specially... treating them as hidden files and not displaying them in a web browser or something... can't really remember more than that. May want to check out Apache.org to check this out. Not to mention a file with a "." at the beginning is a hidden file on *nix systems.

Posted

AJPeters:

 

You posted a helluva lot of sensitive info up there. If you don't understand the full implications of what you posted, then please edit out your password hashes and your directories or ask an admin to do it. If you do understand the implications and what you posted is of no consequence (and you are very sure of this) then I'll just leave this as a warning to anyone else who might read. Please do NOT post directory paths to sensitive data, and do not post the sensitive data itself. I'll not go into it too much, but you could potentially be handing a cracker the keys to your account (even if it was a throw-away password on a test setup).

Posted

Hi experts, I've set all things as descript... the login screen comes up as well...

But... the problem is, I key in the username and password which I created and still cant get in. I have tried many times with many different combination of username and password.

 

PLEASE HELP !!

Posted

Just a small point about creating a htpasswd. Not everyone will be able to do it the way that was outlined, but put "htpasswd" into a search engine to find a generator online. My hosting company provides this facility as well.

Posted

Man thats alot of work to password protect something. Glad my host has a "password protect" installed....hehehe. I just log in, pick the folder, give a user/password and it's done. Got to love unix, microsoft sux.

The Wiki Docs: Read them, live them and be thankful for them!

Posted

Ahh........ That answers my question. I don't know much about this stuff but was gonna ask what the difference was between this and just going to my cpanel and clicking on the password protect for admin dir. I'm guessing it is the same thing only some people must not have that option.

Posted
Seems like I remember there being something in Apache, some directive or something built in, that handles anything ".ht" specially... treating them as hidden files and not displaying them in a web browser or something... can't really remember more than that.

 

Checkout using the following directive in your .htaccess file such as

 

IndexIgnore .htaccess

IndexIgnore *.ihtml

IndexIgnore *.jpg

IndexIgnore *.jpeg

IndexIgnore *.png

 

these should prevent these files being listed in any directory that is missing the index.html or index.php files.

etc etc. HTH

  • 4 weeks later...
Posted

This is for BT Cheng's Q

 

If that's the case, then it's mostly related to not setting the permission to read/write/eXe the "user" file which holds the l:p pair. It can be found under

/var/www/html directory.

  • 2 weeks later...
Posted

If you have access to the servers httpd.conf file -

 

DONT USE .HTACCESS FILES!!

 

Use the Directory directive in the configfile instead.

 

Why? Because

 

For more information, see the apache documentation

Posted

I use Ipowerweb if anyone is familiar with it.

 

This is what I did to secure my admin directory:

 

All i did was password protected the admin folder, is that all i do?

 

Please advise, thanks

Posted
All i did was password protected the admin folder, is that all i do?
Yes, in web hosts that support it, you can just use their directory password protection. Usually, it just does the stuff in this thread for you.

 

Hth,

Matt

Always back up before making changes.

Posted

osc jed as you have put in big letters to not use htaccess files and some who come here may not have enough savvy about the Directory directive, perhaps you could expand upon it more.

Posted
If you have access to the servers httpd.conf file -

 

DONT USE .HTACCESS FILES!!

 

Use the Directory directive in the configfile instead.

Basically what he's saying is that the .htaccess files incur a slight performance hit to the server. If you own the server or have root access (which usually only happens when you own the server) it's better to use the directory directives for performance reasons (and from keeping those pesky users from changing stuff around in the space they rent).

 

I would say that the majority of people likely won't have access to the server configuration files. So if you have an account with a web hosting service, this wouldn't apply to you. Also, some of the contributions that enable email/password protection provide additional protection above the .htaccess level, which is a pretty basic security level.

 

-C.

Posted
Also, some of the contributions that enable email/password protection provide additional protection above the .htaccess level, which is a pretty basic security level.
This doesn't read right to me, from that statement, it sounds like the contributions provide *stronger* protection than does htpasswd, which is incorrect. The contributions provide a weaker form of protection (they rely on including code in each file to keep the file from being accessed; the htpasswd method prevents access to the entire directory tree for those who can't authenticate) but allow more *complicated* protection schemes. For example, one of the contributions allows admins to have different levels of access. Thereby, one admin might be able to add products but not view orders while another admin might be able to view orders but not add products. The htpasswd method could not do this, as it protects whole directories at a time.

 

Btw, while I would agree that httpd.conf <DIRECTORY> directives are more efficient, I'm not sure that I would recommend them for those who aren't sure of what they are doing. There are several .htaccess files that come with the standard osC distribution. If you turn off .htaccess to use <DIRECTORY>, then you need to port those .htaccess files into httpd.conf. This is not terribly difficult, but it can leave the store insecure if you do it incorrectly.

 

One can use both .htaccess and <DIRECTORY> together, but that still gives the performance hit. The performance hit is caused by having .htaccess checking on...it doesn't really matter if it is used once it is on.

 

Hth,

Matt

Always back up before making changes.

Posted

I use Windows and O'Reilly WebSite as a testing server. There the method of securing the /admin directory is totally different in manner of steps, its using just three sheets.

But my question is: Why do the admin area have to rely on web server's directory protection?! It would be very nice and much more reliable and troublefree to have implemented a simple challenge-based login page for admins, where the admins are just the highest-level access persons in a two, or three level tiered authentication system.

The way with server's controlled access, there is no Log out possibility except for closing the borwser, so someone sits after me and voila - has access to my admin area ;(

I'm working on my own e-shop software where all security/access/auth is controlled by the script rather than relying on web server. But until it's done, I'll use osCommerce because it is really the best I got after many days of investigating for such software.

Posted

Two things:

 

1. There are contributions to provide file based password protection.

 

2. As I mentioned above, file based password protection is strictly less effective than directory based password protection, as it relies on the *file* to protect itself. With directory based protection, it automatically protects all files in that directory (and subdirectories). Thus, directory based protection is more reliable than file based protection. Also, it's not vulnerable to things like the password reset vulnerability that almost got Microsoft fined a trillion dollars (ok, almost might be pushing it; it was mentioned though).

 

The disadvantage of directory based protection is that it protects all files equally. You can't give access to one person but withhold it from another.

 

Cheers,

Matt

Always back up before making changes.

  • 2 weeks later...
Posted

newbie needs help......

 

 

I have bought a 12 mth plan for godaddy.com to host my oscommerce page, and they don't support htaccess!!!! There is EXTREMELY limited control panel for my settings, and there is no way to password protect a directory (they say)

 

 

Does anyone know what i can fo??? (without changing hosting account!)

function over form

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...