Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 48816 invoked by uid 500); 15 Aug 2003 13:44:39 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 48767 invoked from network); 15 Aug 2003 13:44:39 -0000 Received: from unknown (HELO mail.profundis.se) (213.80.46.101) by daedalus.apache.org with SMTP; 15 Aug 2003 13:44:39 -0000 X-ITHouse-Forward-Path: Received: From PROFUNDIS01 by mail.profundis.se (IT House Mail Server [TRIAL - 120 days left]); Fri, 15 Aug 2003 15:44:01 +0200 Message-ID: <06c501c36333$48bddc30$652e50d5@profundis.se> Reply-To: "Robert Andersson" From: "Robert Andersson" To: References: <5593DA408212D511B0910002A513501F06558EBF@phsexch20.mgh.harvard.edu> Date: Fri, 15 Aug 2003 15:44:00 +0200 Organization: Profundis MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Reposting of Question: Setting Up User Authentication For An Entire Site Kaplan, Andrew H wrote: > The idea is when a user brings up the website on his/her browser, > he/she will be immediately prompted for a password. Once that is provided, > the user will have access to the various sections of the site that have > been set up. I was planning on using the .htaccess file for the passwords, > and configuring the httpd.conf file so that password authentication will take > place at the root of the Documents directory. > > Is this the way to go? Thanks. Yes, with a few comments. * Are you satisfied with the very low security inherent in Basic Authentication? If sensitive information is going to travel the pipe, you might want to use SSL in addition to Basic Auth. * If you are going to have a lot (100+) user, it would be wise to use another method. * As I see it, there is no reason for using an .htaccess file; configure the authentication directly in httpd.conf and refer to a password file (which is not an access file, many seems to mix the two). Regards, Robert Andersonn --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org