httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark McCulligh <mmccu...@visualtech.ca>
Subject Re: [users@httpd] AWStats and security
Date Wed, 29 Sep 2004 14:52:05 GMT
Aman Raheja wrote:

> Mark McCulligh wrote:
>
>> I have a question for anyone else using awstats for their website stats.
>>
>> I have it installed and running ok. But want to protect the stats so 
>> only valid users can access their stats.  I have created a .htaccess 
>> file to make sure only valid users can get in but how are people 
>> protecting valid users from looking at other valid users website 
>> stats. I don't want customer A looking at customers B stats.
>>
>> I see that you can have awstats make static web pages using 
>> "staticlinks" but I want to keep it dynamic.
>>
>> How are other people protecting their awstats.
>>
>> Thanks,
>> Mark.
>>
> I have used awstats before i switched to webalizer which gives more 
> useful info for me.
> Well protecting is no big issue i think - esp if you are enabling 
> .htaccess control then how can users know each other's user/pass info 
> to look at someone else's stats!
>
> Aman Raheja
>
I am doing the opposite from you. I have used webalizer for years but 
find awstats just looks nicer. Both give about the same information. But 
customers are in to looks. I have even looked at Urchin or WebTrends to 
do stats but I don't want to spend the money right now on stats when 
both webalizer an awstats are good enough for most customers.

Now about your .htacess question. It only makes sure valid customers 
with username/pwd have access to the cgi-bin folder.  But once a 
customer in logged in they can change their config file parameter and 
get another customer's stats.

Example:
http://www.customerA.com/awstats/awstats.pl?config=CustomerA
User asked for username/pwd, then log in. Then change their URL to
http://www.customerA.com/awstats/awstats.pl?config=CustomerB
Their how can see CustomerB stats. DOH

Mark.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message