[Wyatt]

I'm in the middle of a sort of summer cleanup project on my FTP server, which I use to manage web sites at 3 domains and 5 subdomains. One of my new subdomains is supposed to be a test area for me to try out new applications on my server before pushing them through to one of my main sites.

I'd like to password protect the area. It's not super important, but I'd prefer to keep prying eyes off of my new stuff.

From a management standpoint, I think .htaccess passwords might be the way to go. I've never used them before, but they seem pretty straightforward. What I'm wondering is, how secure are they?

All of my sites are in subfolders on my FTP server. I don't have any sites in the root folder. The only two files in there are my Google site map (which I'll probably be moving or just plain deleting soon) and an .htaccess file that handles some basic settings for all my sites. Can I put my .htpasswd file in the root directory without any major security risks, or should I use another subfolder that's not accessible from the web? (My root folder isn't accessible from the web at the moment, either.)

[ast3r3x]

Secure.

As long as nobody changes the httpd.conf to stop using them I think the biggest problem with them is that I think they are capable of being brute forced since there is no way to limit the number of times a user has tried to login.

[Brad]

Quote:

Originally Posted by fcgriz Can I put my .htpasswd file in the root directory without any major security risks, or should I use another subfolder that's not accessible from the web? (My root folder isn't accessible from the web at the moment, either.)

You should definitely put the passwords file in a directory that isn't web accessible. For extra obfuscation, you can give it a crazy name that doesn't sound like it's a password file.

[Majost]

Quote:

Originally Posted by ast3r3x Secure. As long as nobody changes the httpd.conf to stop using them I think the biggest problem with them is that I think they are capable of being brute forced since there is no way to limit the number of times a user has tried to login.

Aren't they also transmitted in clear (or only slightly obfuscated) text? You need SSL for encryption to apply. That said, for a dev site it should work okay.

[ast3r3x]

Quote:

Originally Posted by Majost Aren't they also transmitted in clear (or only slightly obfuscated) text? You need SSL for encryption to apply. That said, for a dev site it should work okay.

Yes, but that holds true for any password/username transmitted over the web.

Anyways, anything like this is only as secure as your server is. You can have all the htaccess' you want, but if I can access it from another part of the server you are screwed.

[Wyatt]

Okay, thanks for the answers everybody. It's basically along the lines of what I expected, so I'll set it up that way, if my Web host ever e-mails me back. I e-mailed them earlier to get the absolute path to my server share, but they haven't gotten back with me.

I'll check back in and let you guys know how it goes once I start actually working on it. Thanks!

[Brad]

Does your host allow any scripted languages like PHP?

For example, if you put this in a PHP file and access it from a web browser, it'll show you its path on the server.
[php]<?php echo dirname(__FILE__); ?>[/php]

[Wyatt]

Quote:

Originally Posted by Brad Does your host allow any scripted languages like PHP? For example, if you put this in a PHP file and access it from a web browser, it'll show you its path on the server. [php]<?php echo dirname(__FILE__); ?>[/php]

Actually, after I finish my little house cleaning project (which this is the last component of), my next project is to completely redo my blog with PHP/MySQL. I'm redoing some old code, so it won't take me long, but I'm still pretty excited about it. I do love a good software project.

I can't believe I didn't think to look for a PHP function to figure this out for me. I'll try that out this evening. Thanks again, Brad!

[update]

Thanks again everybody for all of your help. I've got it working right now, and it's perfect. Now I feel pretty confident in my setup.