Results 1 to 7 of 7

Thread: Apache .htpasswd inquiry.

  1. #1
    Join Date
    Feb 2008
    Location
    Australia
    Posts
    10
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Question Apache .htpasswd inquiry.

    1) Script Title: Apache .htaccess & .htpasswd

    2) Script URL (on DD): http://www.tools.dynamicdrive.com/password/

    3) Describe problem:

    1.) when using the password generator, for the .htpasswd file, i notice that no matter how long the actual password is, the encrypted version only shows the first 13 characters. (and i'm asking this right now, as atm i can not test this for myself. if i could, i would just create a 13+ character password and try it using only the first 13 characters, and if it accepts it, then i'd know that after 13 characters it gets culled.) so is the password limited to only 13 characters ? (or are only 13 characters shown for security reasons?)

    1b.) if the answer to the above is that it is not limited to 13 characters, then that brings up another question: how does the file store more then 13 characters when it only has 13 ???? (unless i don't get the gist of how the whole thing works) shouldn't the number of characters shown in the encrypted file be the same in length as your password length ??

    1c.) why is the password limited to only alphanumeric characters ? is it a limitation of the apache rules for .htpasswd ? (because using other characters would surely greatly enhance the password)

    1d.) with my previous host i did have access to the level prior to the public path for my server. now i'm using shared godaddy hosting (linux) and i do not have such access. so what would my path be now if for example i wanted to protect the contents of folder 2 ? (ie: www.mysite.com/folder1/folder2/) and since i no longer have access to a level above the public folder, does this mean i shouldn't even bother with trying to use the apache .htpasswd/.htaccess method ?? (but if i should still use it, what ways can i make it - the using of the method - more secure ?)

    thanks,

  2. #2
    Join Date
    Aug 2004
    Posts
    10,138
    Thanks
    3
    Thanked 1,007 Times in 992 Posts
    Blog Entries
    16

    Default

    1) Regarding the password length at which point any characters entered is ignored, I believe this is a Apache setting, with 13 being the default. I could be entirely wrong, but here's a thread that sheds some light on the issue: http://www.webmasterworld.com/apache/3283888.htm

    2) There are a few other characters beside alphanumeric that are allowed I believe, but just for sake of simplicity, I made the tool to only accept those characters.

    3) Basically .htaccess protects the directory it's in, plus all sub directories of it. Your non WWW root directory do not need protection since it's non WWW accessible already.
    DD Admin

  3. #3
    Join Date
    Feb 2008
    Location
    Australia
    Posts
    10
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by ddadmin View Post
    3) Basically .htaccess protects the directory it's in, plus all sub directories of it. Your non WWW root directory do not need protection since it's non WWW accessible already.
    you lost me. i clearly stated that with my current host (shared godaddy) i do NOT have access to a directory other then my site's root. so i can NOT place the .htaccess as it is recommended. the one i'm using now is placed in the root of my site (mariosworld.org) with my previous host i could go down one more directory before that, which was actually called "www" and place it there. i can no longer do this.
    Last edited by Mario_AU; 01-29-2009 at 07:26 AM.

  4. #4
    Join Date
    Aug 2004
    Posts
    10,138
    Thanks
    3
    Thanked 1,007 Times in 992 Posts
    Blog Entries
    16

    Default

    That's my point actually- it shouldn't matter whether you place your .htaccess file in the directory above (one level up) from the root www directory, or within the root www directory itself:

    /mysite/.htaccess
    /mysite/www/.htaccess

    When it comes to password protection, .htaccess protects web pages from being viewed by outsiders. Placing the file in either of the locations above accomplish the same thing- that is, it prompts the user for a password when he/she goes to any page in /mysite/www.
    DD Admin

  5. #5
    Join Date
    Feb 2008
    Location
    Australia
    Posts
    10
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Default

    ??? really ??
    then what about the bold statement. (i'm easily confused)

    Q: For 2) above, what should I enter as the path?
    A: ".htpasswd" is a text file that is used to contain your usernames and encrypted passwords. Enter the path you will be placing your .htpasswd file (which contains the usernames/passwords) on the server. It should be a non user accessible location, such as directly above your public HTML folder. This is to prevent visitors from directly viewing this file in their web browser.

  6. #6
    Join Date
    Aug 2004
    Posts
    10,138
    Thanks
    3
    Thanked 1,007 Times in 992 Posts
    Blog Entries
    16

    Default

    Ideally you should always place the .htaccess file above the web accessible, /www directory, in case your server isn't configured to automatically disallow viewing of .htaccess files, by going to http://mysite.com/.htaccess, for example. However, most web hosts disable this by default already, so it's not an issue as long as you belong in that category.
    DD Admin

  7. #7
    Join Date
    Oct 2009
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Is there a way we can add exception to one file under the directory protected by .htpasswd", like an "index.html".

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •