> I plead ignorance yet again. A user is asking about > having a restricted login using htaccess. Now, I'm > not completely clueless (Who am I kidding?), but I > figured you'd have some experience with this. > > Is there anything specific I should tell him? Tell him we can do it, ask him what directory should be protected, and find out from him how users will be added or deleted. If he just wants a few users, we can do it manually. If he wants users to be added on a regular basis, like some kind of membership, some kind of script will have to be done for him. The terminology is wrong, but basically they are looking for password protection like we use on the NOC. Long, long ago, this was done by creating a file called .htaccess in the directory you wanted to protect which told the web server where to find the password list. Today, .htaccess is one way to have special HTTP server configuration settings for a specific directory. We use Directory statements in the config instead, because the user can't break that. This is actually called "HTTP Authentication" or "Basic Authentication". The web browser sends a normal request to the web server. If the object being requested is protected, the server will send back response that indicates that authentication is required. The web browser will prompt the user for a username and password, and resubmit the request to the server, this time with authentication credentials. The web server matches these against a file and either allows or rejects the request. You can look at the VirtualHost definition on oxygen for wishuponawedding or the noc to see how this is set up. ******* > It doesn't look too difficult. The only thing I'm confused by is the > encrypted > password in AuthUserFile, which makes it look like you can't just add a user > by adding a line to the AuthUserFile. How do you add users, anyway? Ah. Unix uses a somewhat standard encryption algorithm (DES, not to be confused with our friends at the Department of Employment Security) for encrypting passwords for its own password file, and Apache also uses this. If you are writing a script to manage the file, it can typically do the encryption itself. C, Perl, and PHP all have functions for doing this. Apache also ships with a utility for managing these files from the command line, called htpasswd. There is a man page for it you can read. DES is a one way encryption. The password cannot be decrypted. When a user supplies a password to be checked, that cleartext password is encrypted and the result is compared to the encrypted password stored for that user. ******* The answer to his question is yes, we can create a database for him on the MySQL server and give him access to it. The MySQL server is still running on oxygen. Using cookies for authentication is much less secure than HTTP authentication, and it means a lot more work for him. Also, the protection would only work with scripts, not with static documents. Incidentally, there is an Apache module that does HTTP authentication against a user list found in a MySQL database. I've never used it before, but if he would rather manage his user list in a database, we could set it up for him. I had been planning to set it up for a membership site I am working on. > While I do now know how to set up a basic > implementation of htaccess, I don't know how > to answer this guy's question. > > Here's what the user said after I told him we could > easily restrict access to a specific directory: > ------ > I was thinking of a different approach. We actually need somewhere in the > neighborhood of 80 users to have log in access. This is not critical secret > information we are trying to protect. I was wondering if I could have > access to MYSQL to have a list of usernames and passwords. I would use > cookies to authenticate the user to the site. Please let me know if this is > possible. > ------ > > MYSQL would be on magnesium, right? That's about > all I know.