For an organization I'm in, I'm trying to create a members only section. We had one in a place where our site was previously located, set up by someone else, and we had to move and don't have that person's help anymore.

We didn't have one of those cheesy javascript password screens, either. I believe it was one of the usual ones that require login and pass.

I also had all the files from the old site location on my computer. I attempted to just copy them over to the new location, but it doesn't seem to work.

The last time I talked about this, people talked about .htaccess files, and someone posted a link about them. I remember I tried the things I read from that site, but it told me I needed to telnet into the site and make changes to the .htaccess files. Unfortunately, I can't telnet into the site at all.

Any help you guys can give me?

HTTP Authentication can be done with PHP if it is running as an Apache module (on an Apache server of course).

Wouldn't this have to be placed on every page you wanted to protect? The way we had it before, we could protect every single file and directory one folder and its subfolders.

have u ever used .htaaccess files?

Depends on how it is coded. If it is done correctly you'd only need code to check for authentication, and you could have the code in another file and just require() it.

Also, you should be able to use .htaccess files by editing them on another machine and then uploading them to the server. Your only problem would be creating a htpasswd file, which you could overcome by using htpasswd on another machine. Don't quote me on that, as I've never tried it, but it should work.

Also, this isn't your only option. Using PHP, you can create a login system using session variables, and stick login-checking code into an auto-prepend file, so that it's automagically require()'d into ever PHP page. The downsides are 1) you need to configure PHP with an auto-prepend file, if it isn't already, and 2) it will only protect PHP files, or files that are processed by PHP in the configuration.

Exactly. You just need to upload an .htaccess file and, possibly, an .htpasswd file to that directory, just as you would any other file. This assumes that your web server is running Apache and that the Apache administrator has given you the permissions to change server configs in .htaccess files. Also, the .htpasswd file can definitely be generated anywhere. It just uses the standard Unix crypt() function to generate the encrypted password, just like in a real passwd file.

Okay, so how do I edit this file? I've looked in it, and it's only a few lines, but I didn't see where our previous passwords were stored. I might not fully understand how it all works. Actually, I'm pretty sure I don't.

Another problem is that when I'm uploading the .htaccess file (using CuteFTP) I can't see it in the directory once it's uploaded. Is that a bad sign?

Auth in Apache is covered in this document.

You shouldn't be able to see the .htaccess file, otherwise people could see it and, perhaps, figure out how to circumvent it.

Thank you very much for that link. It was all explained very well. I understand it much better now.

However, I do need to create the passwords somehow. The .htaccess file I have would work, but naturally the password files are located in a different directory on our new server, and even then, they wouldn't really exist because I've never created them.

So how do I create the passwords and with no access to where the Apache server wants to store them??

Apache doesn't care where you put the password file, so how can you not have access to it?

Just put it in the same directory as the .htaccess file, call it .htpasswd, and then do something like this in the .htaccess:

AuthUserFile /usr/www/users/me/privatedir/.htpasswd

The link above tells you how to make the file.

Alex

But that link seems to say you need to be at some sort of command prompt. I'll re-read it, though.

After reading it again, I still can't see anything that tells me how to make the password file like I was saying. I can't telnet into the server, and I certainly don't have physical access to it, so how can I type in prompts like those?

Yet another problem is that I'm not certain what my path is. I don't know where my organization's site is located on the server. Is there any way I can find this out myself with only basic FTP access?

Do not put the .htpasswd file in the same directory. If it's there, someone could easially grab it and know all the users on the system, plus have an easy time at cracking the passwords.

The logo site uses .htaccess for logins, and the password file sits in a very restricted folder in my home directory, and no web address can access it.

You needn't use that program on that server or even use that program at all. It just generates a file with mutiple lines in the format ``username:encrypted-password'', like ``wfaulk:Ki9njd0n''. You can generate the encrypted password by using the standard Unix crypt() function. If you have access to another Unix machine, you can use this source code to generate it:

#define _XOPEN_SOURCE

#include <stdio.h>

#include <unistd.h>



int main(int argc, char *argv[]) {

        if(argc<2) fprintf(stderr, "Usage: %s string [salt]\n", argv[0]);

        else if(argc<3) printf("%s\n", crypt(argv[1], argv[1]));

        else printf("%s\n", crypt(argv[1], argv[2]));

        return(0);

}

(or you could just compile the htpasswd program.)

Thanks for the help!

So this file has to be encrypted in order to work? Can I just create a file with the correct name and a log/pass in it and upload it to an obscure directory?

Also, our current .htaccess file has something I haven't seen in the links people have given here. It looks like this:
<Limit GET>
</Limit>

Also, what about the directory path thing?

If you toss:
<?php
echo $u.":".crypt($p);
?>

Into a file, say pass.php, upload it to your website and then call it as
http://mysite.com/pass.php?u=USER&p=PASS
It will return a line for the user 'USER' with the password 'PASS' that you can throw into a password file.
-Geoff