- Question about user authentication

- Question about user authentication

Post by Marc Slemk » Wed, 23 Apr 1997 04:00:00



Erm... are you telling me you expect limiting POSTs in one directory
to prevent you from POSTing to another?  No, that will not work.
You have to have the limit somewhere that applies to what they are
posting to; the server has no reason to try to use this other .htaccess
file somewhere else on the filesystem for dealing with a request to
a different directory.

See the <Files> directive to allow for access control on a per
filename basis; put it somewhere that applies to the script (eg.
a .htaccess file in the script's directory) and off you go.


Quote:>I am using Apache 1.2b7 and have a question about using user
>authentication. I would like to ask a user for a password only when they
>want to use the 'post' method. I have set my .htaccess file in a
>subdirectory like this:
>AuthType Basic
>AuthName RachNET Administration
>AuthUserFile /httpd/httpd/htdocs/rachnet/.rachpass
><LIMIT POST>
>require valid-user
></LIMIT>
>This however does not ask for a password and allows anyone to post to a
>cgi-bin bulletin board.
>My question is why won't it ask for a password. Is it because the actual
>cgi program is in a different directory than the .htaccess file?
>Todd

 
 
 

- Question about user authentication

Post by Todd M. Felm » Wed, 23 Apr 1997 04:00:00


I am using Apache 1.2b7 and have a question about using user
authentication. I would like to ask a user for a password only when they
want to use the 'post' method. I have set my .htaccess file in a
subdirectory like this:

AuthType Basic
AuthName RachNET Administration
AuthUserFile /httpd/httpd/htdocs/rachnet/.rachpass

<LIMIT POST>
require valid-user
</LIMIT>

This however does not ask for a password and allows anyone to post to a
cgi-bin bulletin board.

My question is why won't it ask for a password. Is it because the actual
cgi program is in a different directory than the .htaccess file?

Todd

 
 
 

- Question about user authentication

Post by Konstantin Skabee » Thu, 24 Apr 1997 04:00:00



> I am using Apache 1.2b7 and have a question about using user
> authentication. I would like to ask a user for a password only when they
> want to use the 'post' method. I have set my .htaccess file in a
> subdirectory like this:

> AuthType Basic
> AuthName RachNET Administration
> AuthUserFile /httpd/httpd/htdocs/rachnet/.rachpass

> <LIMIT POST>
> require valid-user
> </LIMIT>

> This however does not ask for a password and allows anyone to post to a
> cgi-bin bulletin board.

> My question is why won't it ask for a password. Is it because the actual
> cgi program is in a different directory than the .htaccess file?

> Todd

Hi!

The .htaccess file should be in the subdirectory you want to restict.
This subdirectory should not be under DocumentRoot directory, but under
user's
public_html. So, if /httpd/httpd/htdocs/rachnet/ is the directory to be
restricted
you can't do that. You can try to move it to

  ~username/public_html/rachnet/

and put the .htaccess file into ...rachnet/ . Also, check (or set)
permissions of  the .htaccess to be -rw-r--r-- (644) and try to access
any file in this directory.

I noticed you put the .rachpass file in rachnet/ directory. For some
security reasons it's better not to have this file under the
DocumentRoot directory
(but it's not the reason).

For more info you might want to take look at Apache Week article:

http://www.apacheweek.com/features/userauth

It has a good explanation how User Authentication works.

                                                   Konstantin

 
 
 

1. Question about user authentication by crypt(key, salt)

Hi,

I try to make a piece of code for user authentication through socket.
Why the encrypt password returned from getpwnam() is *? Because of
that, I cannot compare the encrypted user input password (encrypt by
crypt(char* key, char* salt) ) with the the password in the passwd
file.

Anyone can give me a clue? The following is my code:

int auth(char* nm, char* pwd)
{
        char salt[2];
        struct passwd* usr = getpwnam (nm);
        if(usr==NULL) return -1;
        memcpy(salt, usr->pw_passwd, 2);
        pass = crypt(pwd, salt);
        if( strcmp(pass, usr->pw_passwd) == 0 )
                reutrn 1;
        else return -1;

Both the encrypted password and the salt I got from the struct usr is
"x". And the encrypted user input password I got from the crypt() call
is something like "xxmbTL5ZRLn0I" (13chars long string).

Thanks a lot

Aarzuis

2. java

3. Question on apache user authentication

4. add multithreads to RPC server

5. http User authentication question.

6. Swap , Sound -- Urgent HELp!!!

7. Apache server - user authentication question????

8. Apache 1.2.4 and mirroring

9. user authentication question

10. User/password authentication question

11. User authentication questions

12. intranet security and user authentication questions

13. Apache user authentication- Simple question, pls. help!