Comments on: htaccess password protection

By: timtak

timtak — Wed, 30 Nov -0001 00:00:00 +0000

Dear Jennifer
I would be interested in the password protection if you feel up to posting it. I can't use .html access on my site. Perhaps I should not be using password protection either. Oops.

I came here looking for a way of moving the grat-green stripe that is to the right of mt-logo.gif but I am not finding anything relevant. One day.

Tim

By: Phil

Phil — Wed, 30 Nov -0001 00:00:00 +0000

Well one of your concern's about your script was secerity. If you design it to hook into the MT registration DB wouldn't that issue go away? It would be just as sercue as MT right because you would just simply be calling MT. Just a thought, I don't really know what I am talking about though haha.

By: joat

joat — Wed, 30 Nov -0001 00:00:00 +0000

If you write a PHP script which allows upload/download/edit/whatever and put it in the directory, named as "index.php", wouldn't that work? 'Course, you'd have to protect "index.php" though.

By: -jul-

-jul- — Wed, 30 Nov -0001 00:00:00 +0000

I wrote my very own authentication method. No, not to my blog, but for my company's projects. It's pretty easy. Usually I don't use .htaccess, but auth-through-php with session handling.

If you want to use .htaccess with Apache, you have to separate it into pieces: a) selection, b) mod_access, and c) mod_auth*. a) embeds b) embeds c).

a) You select what you want to protect. It can be a directory (default in .htaccess), or files (use or ). Then you can narrow by request type (get, post etc) with .

b) Optionally, you can limit access from IP addresses with Allow, Deny, and Order.

c) Now use your mod_auth* commands (AuthType, AuthName, user and group selection, and require directives)

Alternatively, you can set up a 403 error page to gently deny access.

OK, OK, you may say, but where's the business logic?

First I ask a very simple question: Why do you want to implement the protection? Common problem can be catching spammers. We can call this as Anti-Turing's-Test. This is usually done by generating a picture cannot be OCR'ed (besides by human brain), and required to write it back. This is good, but every ATT (Anti Turing's Test) has a problem: you cannot make a perfect filter. This way you filter the blind. If you generate an audio file, you filter the deaf. If you ask them to answer for a quiz, you filter dumb and/or non-native English speakers. If you write your question's letters in garbled order, you filter the dyslexic. If you ask them to enter a valid credit card number, is questionable by security. Either way, you cannot ask them to say 'No, I am not a robot.' Further reading: http://www.w3.org/TR/turingtest/

Then decide, do you need a self-care subscription method? If yes, maybe you have to have a self-care unsubscription and/or 'forgot password' function. You have to ban people. You have to register people, and you have to moderate out some comments from people. Aggressive people tend to write more aggressive comments: you have to have an option to see their all comments.

This is much more than your first question: this is about to create/search for an appropriate tool.

By: Jennifer

Jennifer — Wed, 30 Nov -0001 00:00:00 +0000

My script could be modified to do that… If I decide to release it – I'll let you know!

By: Phil

Phil — Wed, 30 Nov -0001 00:00:00 +0000

I know I will continue to run a password-protected blog. I use it post things that I don't want my family to read (I know for a fact some of my family reads it) and things like that. What I am hopping (and I am thinking about emailing Ben and Mena about it) is that 3.0 will have password protected blogs or entries or something like that. I also hope that registration can be optional. For example, a friend of mine can register and it would give me the ability to "track" his/her commenting and well as give them access to the private blog/entries. But the casual reader can post a comment without registering. I guess I could email them that sugestion, but I am sure if they weren't planning to do that it is too late to implement it. Maybe someone would be able to make a script/hack that would be able to do that.

By: Jennifer

Jennifer — Wed, 30 Nov -0001 00:00:00 +0000

You mean the password protection on my personal journal? I wrote that script myself. I've been debating releasing it here – I'm feeling more confident about it's security – but I'm still a little hesitant. For starters, I just don't have time to support it – and it's frustrating for me and the people who try to implement it (they post "It doesn't work" in the comments, and I don't have time to respond and help everyone).

But also – with MT releasing 3.0 soon – and the ability to restrict comments to "registered" users – I wonder how much people will still want complete site password protection. The two are different, but people might not see a difference so subtle. (Similar to how people are using my comment queue script to prevent comment spam – it was never intended for that purpose, and doesn't do a good job for it because of that)

I'm rambling… I'll stop now.

By: Phil

Phil — Wed, 30 Nov -0001 00:00:00 +0000

I use a program called RegisterMe! (http://www.eastwright.com/internet/register) and I really like it. It uses .htaccess and users can register themselves and you can approve and manage users. I would really like something that allows me to control the a little bit more. I would like the pages (at least the ones the user sees) to match more of my sites look. I like how your site is done, what do you use for that?