Issue
I am working in ColdFusion 11 with apache web server in windows hosting I have not more knowledge about basic authenticate and so I have little bit confuse about this
- why does basic authentication type store password in .htpasswd file so not necessary to store database?
- how to redirect request HTTP to https before entering in password prompt?
.htaccess file code which is working fine first authenticate completely then this redirect on HTTP to https but I want to set HTTP to https before entering a password here my httpd.config file virtual host code
<VirtualHost 112.192.12.16>
DocumentRoot C:/Apache24/htdocs/enovis53
ServerName test.example.com
ErrorLog logs/enovis-inc.com-error_log
CustomLog logs/enovis-inc.com-access_log common
</VirtualHost>
my .htaccess file code
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
if anybody knows this then guide me I don't know this right thing to ask community all suggestion is acceptable thanks in advance
Solution
- why does basic authentication type store password in .htpasswd file so not necessary to store database?
This is determined by AuthBasicProvider
Syntax: AuthBasicProvider provider-name [provider-name] ...
Default: AuthBasicProvider fileThe
AuthBasicProvider
directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module.
So in your case, no provider is defined, and the default (file) is applied. If you want another provider, e.g. some db, specify dbm
, ldap
, ...
- how to redirect request HTTP to https before entering in password prompt?
Usually, some directive is applied unconditionally, unless restricted somehow. To have the password requested only when HTTPS is active, you may try to enclose the Auth
directives or at least the Require
inside an If
<If "%{HTTPS} == 'on'">
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
</If>
But now, all content is accessible without password, when requested via http://test.example.com
. Don't forget to force https
!
Unrelated, but note the security warning from AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Answered By - Olaf Dietsche Answer Checked By - David Goodson (PHPFixing Volunteer)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.