Wednesday, September 21, 2022

[FIXED] what is key role of redirection HTTP to HTTPS in basic authentication?

      , , ,      No comments   

Issue

I am working in ColdFusion 11 with apache web server in windows hosting I have not more knowledge about basic authenticate and so I have little bit confuse about this

  1. why does basic authentication type store password in .htpasswd file so not necessary to store database?
  2. how to redirect request HTTP to https before entering in password prompt?

.htaccess file code which is working fine first authenticate completely then this redirect on HTTP to https but I want to set HTTP to https before entering a password here my httpd.config file virtual host code

<VirtualHost  112.192.12.16>
    DocumentRoot C:/Apache24/htdocs/enovis53
    ServerName test.example.com
    ErrorLog logs/enovis-inc.com-error_log
    CustomLog logs/enovis-inc.com-access_log common
</VirtualHost>

my .htaccess file code 

AuthName "Example CLMS Production (v5.3.0.0)"

AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user

if anybody knows this then guide me I don't know this right thing to ask community all suggestion is acceptable thanks in advance


Solution

  1. why does basic authentication type store password in .htpasswd file so not necessary to store database?

This is determined by AuthBasicProvider

Syntax: AuthBasicProvider provider-name [provider-name] ...
Default: AuthBasicProvider file

The AuthBasicProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module.

So in your case, no provider is defined, and the default (file) is applied. If you want another provider, e.g. some db, specify dbm, ldap, ...

  1. how to redirect request HTTP to https before entering in password prompt?

Usually, some directive is applied unconditionally, unless restricted somehow. To have the password requested only when HTTPS is active, you may try to enclose the Auth directives or at least the Require inside an If

<If "%{HTTPS} == 'on'">
    AuthName "Example CLMS Production (v5.3.0.0)"
    AuthType Basic
    AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
    require valid-user
</If>

But now, all content is accessible without password, when requested via http://test.example.com. Don't forget to force https!

Unrelated, but note the security warning from AuthUserFile

Security

Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.



Answered By - Olaf Dietsche
Answer Checked By - David Goodson (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...