Results 1 to 5 of 5
  1. #1
    Join Date
    Feb 2004

    htaccess security question

    Hi, I am developing a website to administrate databases for a lawfirm and was wondering if htaccess is sufficient for controlling access for users, clients and administration. I wouldn't want to jeopardize my client's information with weak security and was curious how reliable htaccess is?


  2. #2
    Join Date
    Apr 2004
    While authentication does allow resources to be restricted to particular users, there are potential security issues. Some of these are:

    - Care must be taken to ensure that the resource is restricted against all methods. Use of <Limit GET>, for instance, leaves POST and other request methods unprotected.
    - The username and password are stored in a plain text file. While the password is encrypted, it is not completely safe against decryption, so the file should not be accessible to other users on the system. More importantly, it should not be placed under the document root where users from other sites could access it.
    - The username and password is as secure as any username/password system, in that end-users should not tell others their password, or write it down, or make it easily guessable.
    - The Basic authentication scheme transmits passwords across the Internet unencrypted, so they could be intercepted.

  3. #3

    Security is a way of life; and, should involve as many layers as you are comfortable managing.

    .htaccess in terms of password protection is just one layer.

    Making sure the how you store your user id and password for the application which provides I/O with your database is another layer.

    The encryption of sensitive information within the database is another layer.

    The operating system security and application (Web server, database server, etc.) server security are other layers.

    Each must be looked at, hardened, and managed each and every day (throughout the day).

    Thank you.
    Peter M. Abraham
    LinkedIn Profile

  4. #4
    Join Date
    Jun 2003
    .htaccess isn't as flexible as writing your own authentication system, but it doesn't have any inherent weaknesses as far as I am aware. Your httpd.conf should already have a global setting to deny access to all files beginning with ".ht". It's more of a hassle to add and remove users than if you roll your own. If you are using SSL, the username and password will not be sent in the clear.

  5. #5
    Join Date
    Feb 2004
    I see, I will make sure to keep 'other' request methods secure. I dont have access to the OS (currently, as a reseller) but I'll check the passwd file location. In the past, I have used my own session routines using PHP (cookie/url id) before but for this project I just have been admining htaccess users with cPanel. Thank you all for the informative responses.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts