I've been searching for ways to password protect a directory using usernames and passwords stored in a MySQL database.
Found these links so far:
Advanced htaccess tutorial (scroll down to the Module: mod_auth_mysql part)
PHP security admin (freshmeat .net project) * (realized after I downloaded this that it won't do what I'm looking for – this will protect PAGES, not an entire directory)
(If you find any – feel free to post them in the comments)
1 | Phil
I use a program called RegisterMe! (http://www.eastwright.com/internet/register) and I really like it. It uses .htaccess and users can register themselves and you can approve and manage users. I would really like something that allows me to control the a little bit more. I would like the pages (at least the ones the user sees) to match more of my sites look. I like how your site is done, what do you use for that?
2 | Jennifer
You mean the password protection on my personal journal? I wrote that script myself. I've been debating releasing it here – I'm feeling more confident about it's security – but I'm still a little hesitant. For starters, I just don't have time to support it – and it's frustrating for me and the people who try to implement it (they post "It doesn't work" in the comments, and I don't have time to respond and help everyone).
But also – with MT releasing 3.0 soon – and the ability to restrict comments to "registered" users – I wonder how much people will still want complete site password protection. The two are different, but people might not see a difference so subtle. (Similar to how people are using my comment queue script to prevent comment spam – it was never intended for that purpose, and doesn't do a good job for it because of that)
I'm rambling… I'll stop now. 😀
3 | Phil
I know I will continue to run a password-protected blog. I use it post things that I don't want my family to read (I know for a fact some of my family reads it) and things like that. What I am hopping (and I am thinking about emailing Ben and Mena about it) is that 3.0 will have password protected blogs or entries or something like that. I also hope that registration can be optional. For example, a friend of mine can register and it would give me the ability to "track" his/her commenting and well as give them access to the private blog/entries. But the casual reader can post a comment without registering. I guess I could email them that sugestion, but I am sure if they weren't planning to do that it is too late to implement it. Maybe someone would be able to make a script/hack that would be able to do that.
4 | Jennifer
My script could be modified to do that… If I decide to release it – I'll let you know! 😉
5 | Phil
Well one of your concern's about your script was secerity. If you design it to hook into the MT registration DB wouldn't that issue go away? It would be just as sercue as MT right because you would just simply be calling MT. Just a thought, I don't really know what I am talking about though haha.
6 | joat
If you write a PHP script which allows upload/download/edit/whatever and put it in the directory, named as "index.php", wouldn't that work? 'Course, you'd have to protect "index.php" though.
7 | -jul-
January 21st, 2004 at 11:43 am
I wrote my very own authentication method. No, not to my blog, but for my company's projects. It's pretty easy. Usually I don't use .htaccess, but auth-through-php with session handling.
If you want to use .htaccess with Apache, you have to separate it into pieces: a) selection, b) mod_access, and c) mod_auth*. a) embeds b) embeds c).
a) You select what you want to protect. It can be a directory (default in .htaccess), or files (use <Files> or <FilesMatch>). Then you can narrow by request type (get, post etc) with <Limit>.
b) Optionally, you can limit access from IP addresses with Allow, Deny, and Order.
c) Now use your mod_auth* commands (AuthType, AuthName, user and group selection, and require directives)
Alternatively, you can set up a 403 error page to gently deny access.
OK, OK, you may say, but where's the business logic?
First I ask a very simple question: Why do you want to implement the protection? Common problem can be catching spammers. We can call this as Anti-Turing's-Test. This is usually done by generating a picture cannot be OCR'ed (besides by human brain), and required to write it back. This is good, but every ATT (Anti Turing's Test) has a problem: you cannot make a perfect filter. This way you filter the blind. If you generate an audio file, you filter the deaf. If you ask them to answer for a quiz, you filter dumb and/or non-native English speakers. If you write your question's letters in garbled order, you filter the dyslexic. If you ask them to enter a valid credit card number, is questionable by security. Either way, you cannot ask them to say 'No, I am not a robot.' Further reading: http://www.w3.org/TR/turingtest/
Then decide, do you need a self-care subscription method? If yes, maybe you have to have a self-care unsubscription and/or 'forgot password' function. You have to ban people. You have to register people, and you have to moderate out some comments from people. Aggressive people tend to write more aggressive comments: you have to have an option to see their all comments.
This is much more than your first question: this is about to create/search for an appropriate tool.
8 | timtak
Dear Jennifer
I would be interested in the password protection if you feel up to posting it. I can't use .html access on my site. Perhaps I should not be using password protection either. Oops.
I came here looking for a way of moving the grat-green stripe that is to the right of mt-logo.gif but I am not finding anything relevant. One day.
Tim
scriptygoddess
