Password Protect Wholesaler Web Pages

Hi,

Can you recommend a good software program that I can use to password protect
select pages on my web site. I am about to add a wholesale distribution
section that I do not want regular customers to access.

The software must allow me to manage my wholesalers login password.

Davis
http://www.segiftware.com
NotePad

On Thu, 23 Dec 2004 1221 GMT, "Davis" <nospam@worldnet.att.net>
posted something that included:

>Hi,
>
>Can you recommend a good software program that I can use to password protect
>select pages on my web site. I am about to add a wholesale distribution
>section that I do not want regular customers to access.
>
>The software must allow me to manage my wholesalers login password.
>
>Davis
>http://www.segiftware.com
>NotePad

It's a lot more reliable to use htpasswd than anything else, very
versatile, very easy - and you can either protect individual files, or
you can protect entire directories.

To protect an individual file called secretfile.html, you add this to
the .htaccess file for that directory. (If you are protecting the
entire directory, eliminate the <files> and </files> lines)

<files secretfile.html>
AuthUserFile /home/davis/passwd
AuthGroupFile /dev/null
AuthName EnterYourPassword
AuthType Basic
require valid-user
</files>

You create a password file at /home/david/passwd

If you have shell access, type
htpasswd -bc /home/davis/passwd user19 anthrax
to create a new password file with user19 as a user whose password is
anthrax. To add a second user to the password file, you use
htpasswd -b /home/davis/passwd user20 pneumonia
(Using the -c flag would overwrite the original file. Oops!)

If you don't have shell access, you need to edit that file by hand.
Each line starts out with the username followed by a colon and the
encrypted password. There's a utility at
http://paulding.net/bin/crypt.cgi that will generate the encrypted
passwords for you. If you enter pneumonia as the password, you get
back something like "pneumonia:pNV0ZhfRnQwJw" You don't need the
password in both plaintext and encrypted form in the passwd file,
though. Change that to user20:pNV0ZhfRnQwJw and add that line to the
end of the password file.

To remove someone's access, simply delete their line in the password
file.

This is *really* basic authentication; if you'd like to explore some
of the more advanced things you can do, check out these two pages.
http://httpd.apache.org/docs-2.1/howto/auth.html
http://httpd.apache.org/docs/programs/htpasswd.html



--
If we're losing 40-130 species a day,
How come nobody can itemize them?
And why can't fruitflies be one of them?

Davis <nospam@worldnet.att.net> wrote:
> Hi,
>
> Can you recommend a good software program that I can use to password protect
> select pages on my web site. I am about to add a wholesale distribution
> section that I do not want regular customers to access.

If you're using PHP, GenieGate would probably work good for you, though I'd
need to find out some details. (You can contact me from the web page listed
in my signature)

In addition to controlling access to whole pages, you can control portions of
the same PHP page with it, (so wholesalers see a slightly different page) This
is kind of handy if you wanted the same pages indexed on search engines.

> The software must allow me to manage my wholesalers login password.

If you have multiple wholesale dealers, (perhaps with different levels)
it would be a simple matter of setting up a group for each level and then
adding the dealers to the group.

You can control login passwords and stuff. (also has a "send password in email"
for people who forget their password)

Mine is free, but requires a text ad for free version.

There are many other password managers and user account managers on
hotscripts.com. I admit, mine is probably a bit harder than the others to
setup, it's really designed more as something you integrate with a web site.
(part application, part API)

Jamie
--
http://www.geniegate.com Custom web programming
guhzo_42@lnubb.pbz (rot13) User Management Solutions

I can turn on shell access in my control panel. I assume that I create this
..htaccess file with Notepad and save as .htaccess. I'll have several .html
files to enter in the <files></files>. Is this possible? I need an example
for 3 files (whole_sale_dist.html, howtosell.html, and download.html).

> <files secretfile.html>
> AuthUserFile /home/davis/passwd
> AuthGroupFile /dev/null
> AuthName EnterYourPassword
> AuthType Basic
> require valid-user
> </files>
REPLY: Other than Davis, I have 5 more wholesalers. Do I have to create the
above file for each wholesaler or simply enter the line AuthUserFile
/home/name/passwd between <files></file> for each of the 5 wholesalers?

> You create a password file at /home/david/passwd
> If you have shell access, type
> htpasswd -bc /home/davis/passwd user19 anthrax

REPLY: Where in the .htaccess file is this syntax used? Do I have to create
this password file for each of the 5 accounts? Using your example it would
seem that

htpasswd -bc /secretfile.html/davis/passwd user19 anthrax would be the
proper syntax. Why use */home* instead of *secretfile.html* if we are
protecting *secretfile.html*?

> To add a second user to the password file, you use
> htpasswd -b /home/davis/passwd user20 pneumonia
> (Using the -c flag would overwrite the original file. Oops!)

REPLY: Three users are insufficient. How do I avoid overwriting the original
file? Can you recommend a good tutorial?

This method appears to be time consuming and would require devoting a lot of
time to password management, but I'm willing to test it.

It would help to see exactly how this .htaccess file looks when properly
formatted (assuming I have shell access). I think I can turn shell on.

Thanks,

Davis G Howard
=====================================
"Paul Ding" <lancastir@webtv.net> wrote in message
news:qifms05vd54e377jm42tbc634m12dr7abj@4ax.com...
> On Thu, 23 Dec 2004 1221 GMT, "Davis" <nospam@worldnet.att.net>
> posted something that included:
>
> >Hi,
> >
> >Can you recommend a good software program that I can use to password
protect
> >select pages on my web site. I am about to add a wholesale distribution
> >section that I do not want regular customers to access.
> >
> >The software must allow me to manage my wholesalers login password.
> >
> >Davis
> >http://www.segiftware.com
> >NotePad
>
> It's a lot more reliable to use htpasswd than anything else, very
> versatile, very easy - and you can either protect individual files, or
> you can protect entire directories.
>
> To protect an individual file called secretfile.html, you add this to
> the .htaccess file for that directory. (If you are protecting the
> entire directory, eliminate the <files> and </files> lines)
>
> <files secretfile.html>
> AuthUserFile /home/davis/passwd
> AuthGroupFile /dev/null
> AuthName EnterYourPassword
> AuthType Basic
> require valid-user
> </files>
>
> You create a password file at /home/david/passwd
>
> If you have shell access, type
> htpasswd -bc /home/davis/passwd user19 anthrax
> to create a new password file with user19 as a user whose password is
> anthrax. To add a second user to the password file, you use
> htpasswd -b /home/davis/passwd user20 pneumonia
> (Using the -c flag would overwrite the original file. Oops!)
>
> If you don't have shell access, you need to edit that file by hand.
> Each line starts out with the username followed by a colon and the
> encrypted password. There's a utility at
> http://paulding.net/bin/crypt.cgi that will generate the encrypted
> passwords for you. If you enter pneumonia as the password, you get
> back something like "pneumonia:pNV0ZhfRnQwJw" You don't need the
> password in both plaintext and encrypted form in the passwd file,
> though. Change that to user20:pNV0ZhfRnQwJw and add that line to the
> end of the password file.
>
> To remove someone's access, simply delete their line in the password
> file.
>
> This is *really* basic authentication; if you'd like to explore some
> of the more advanced things you can do, check out these two pages.
> http://httpd.apache.org/docs-2.1/howto/auth.html
> http://httpd.apache.org/docs/programs/htpasswd.html
>
>
>
> --
> If we're losing 40-130 species a day,
> How come nobody can itemize them?
> And why can't fruitflies be one of them?

I think there is some confusion between the role of /home/davis/passwd,
secretfile.html and .htaccess

I'll try and clarify them:

secretfile.html - Web resource to protect.
..htaccess - Per-directory configuration (Apache web server).
/home/davis/passwd - Stores username and password combinations.

..htaccess tells Apache: use the password file /home/davis/passwd to determine
who can gain access to the following resources.

Davis <nospam@worldnet.att.net> wrote:
> <files secretfile.html>
>> AuthUserFile /home/davis/passwd
>> AuthGroupFile /dev/null
>> AuthName EnterYourPassword
>> AuthType Basic
>> require valid-user
>> </files>
> REPLY: Other than Davis, I have 5 more wholesalers. Do I have to create the
> above file for each wholesaler or simply enter the line AuthUserFile
> /home/name/passwd between <files></file> for each of the 5 wholesalers?

In the above example, anyone with a password entry in /home/davis/passwd
will have access:

tom:<crypted_passwd>
dick:<crypted_passwd>
harry:<crypted_passwd>

Now tom, dick and harry have access to "secretfile.html"

Mosty people protect entire directories instead of just one file though.

>> You create a password file at /home/david/passwd
>> If you have shell access, type
>> htpasswd -bc /home/davis/passwd user19 anthrax
>
> REPLY: Where in the .htaccess file is this syntax used? Do I have to create
> this password file for each of the 5 accounts?

No, you just append a line to your passwd file for each user.

> htpasswd -bc /secretfile.html/davis/passwd user19 anthrax would be the
> proper syntax. Why use */home* instead of *secretfile.html* if we are
> protecting *secretfile.html*?

Actually, more like: htpasswd -bc /home/davis/passwd user19 anthrax

Because /home/davis/passwd (in above example) stores username and passwords.

It is very _VERY_ important to keep passwd away from web space. Some folks
will place passwd into a protected web directory, I feel this is a bad
practice, passwd should be kept outside of the web site completely. (Otherwise
if you made a mistake in the web server config or temporarily removed
an .htaccess or something, someone could download the password file crack
the passwords. Try to keep your passwd file outside the web directory.

>> To add a second user to the password file, you use
>> htpasswd -b /home/davis/passwd user20 pneumonia
>> (Using the -c flag would overwrite the original file. Oops!)
>
> REPLY: Three users are insufficient. How do I avoid overwriting the original
> file? Can you recommend a good tutorial?

Just append them or use different usernames.

The -c in his prior example tells the htpasswd utility to "create new password
file", without the -c it appends.

The full detail can be found somewhere on http://httpd.apache.org/ or
from shell access do: 'man htpasswd'

> This method appears to be time consuming and would require devoting a lot of
> time to password management, but I'm willing to test it.

GenieGate can manage that type of password file for you, (as well as
DBM based passwords) if you like.

However, if you only have 3 dealers, it's probably not worth your time to
install a user management package, just use htpasswd and be done with it.

Jamie
--
http://www.geniegate.com Custom web programming
guhzo_42@lnubb.pbz (rot13) User Management Solutions