DotDragnet
May 23, 2012, 08:09:11 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: follow us on twitter @dotdragnet
 
   Home   Help Search Login Register  
DotDragnet > The Tech Side > Tech stuff > .htpasswd security question
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: .htpasswd security question  (Read 2166 times)
samhs
Administrator
Hero Member
*****
Posts: 1711



View Profile WWW Awards
« on: October 02, 2008, 12:25:15 AM »
Is there any reason I shouldn't locate a .htpasswd file in the directory which it protects (eg if I protect a folder called "images" using a .htaccess located in that directory, and point to the .htpasswd file also located in that same "images" directory) - is that bad from a security POV? Assume I have no telnet/ssh access to the server in question so can only access the public folder and below...

TIA
Logged
Loose adj a not held together; not fastened or firmly fixed in place
Lose verb to misplace something. To fail to keep or obtain something, especially because of a mistake, carelessness, etc.
---
Blog: www.ohwrite.co.uk
Twitter: www.twitter.com/samhs
Jeep Stone
Hero Member
*****
Posts: 908



View Profile WWW Awards
« Reply #1 on: October 02, 2008, 08:04:32 AM »
On our server the .htaccess and .htpasswd are in the same location for each folder. Apache is normally configured to prevent direct access to .ht* files IIRC.
Logged
Jeepstone
SLEE
Hero Member
*****
Posts: 824



View Profile WWW Awards
« Reply #2 on: October 02, 2008, 08:24:30 AM »
i think if you want to be super secure then the .password is supposed to be under the root of you site so no one can reach it through the web.
Logged
SLEE - still the most confusing ddner...

Follow me on Twitter
samhs
Administrator
Hero Member
*****
Posts: 1711



View Profile WWW Awards
« Reply #3 on: October 02, 2008, 03:50:54 PM »
When you say "super secure" - what are the risks/possible exploits associated with locating the files in the folder being protected?
Logged
Loose adj a not held together; not fastened or firmly fixed in place
Lose verb to misplace something. To fail to keep or obtain something, especially because of a mistake, carelessness, etc.
---
Blog: www.ohwrite.co.uk
Twitter: www.twitter.com/samhs
JasonD
Global Moderator
Hero Member
*****
Posts: 546



View Profile Awards
« Reply #4 on: October 02, 2008, 05:23:12 PM »
None.

Access to .ht files is forbidden by default configuration (and there is no valid reason to change that).
You already need a valid login to access anything in the directory.
Passwords are not stored in plain text.

Reasons to store the passwords elsewhere are mostly administrative, you don't need to maintain multiple password files for the same users to login to different parts of the same site, or different sites on the same server.
Logged
samhs
Administrator
Hero Member
*****
Posts: 1711



View Profile WWW Awards
« Reply #5 on: October 02, 2008, 05:35:53 PM »
excellent - thanks smile
Logged
Loose adj a not held together; not fastened or firmly fixed in place
Lose verb to misplace something. To fail to keep or obtain something, especially because of a mistake, carelessness, etc.
---
Blog: www.ohwrite.co.uk
Twitter: www.twitter.com/samhs
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

DotDragnet > The Tech Side > Tech stuff > .htpasswd security question
Powered by MySQL Powered by PHP Powered by SMF | SMF © 2006-2008, Simple Machines Valid XHTML 1.0! Valid CSS!