How do I go about password protecting
a portion of my content and selling
subscription services? All I know is a HTML
and a little bit about perl, java, etc.

I know that .htaccess limit will access, but how do I link it to (external?) credit card authorization service for password generation?

Thanks!

The .htaccess file is a fairly static thing. You build it, stick it in the protected dir, and pretty much leave it alone.

The file that stores the valid username/password combo's is a different story tho. It's the one that has to be altered to add on new users when they sign up. There's all sorts of different ways to go about it, and it basicly depends on how many users you expect to have.

The main thing that needs figured though is what company you intend to use for your CC acceptance. If you use iBill ( http://www.ibill.com/ ) for example, I believe they already have the necesarry scripting available for you when you sign up. There are thousands of other places out there with as many different ways to go about updating a password file. It all boils down to what company you go with (unless you have your own merchant account, then it's different yet again *s*) and if they have a system already, or if you want to take normal CC processing, and set up the user accounts manually.

I wish I could give you a real answer right now, but at the moment I can't. I suggest that your first step would be setting up the credit card processing, and then adding the directory authentication (which I'll be more than happy to help with).


------------------
Del
www.downinit.com/ (http://www.downinit.com/)

Hmmm -- this is a little beyond the standard password protected directories...

To do this you must telnet/SSH into your account...

1) create a directory *outside* of the www subdirectory to hold your passwords... e.g. /big/dom/x???????/.protect

2) within that directory you have 2 options - either create a 'htpasswd' or 'DBM' style password database...

htpasswd == less than 50 users
DBM Hash == 50 or more users

(.passwords is only an example, your password file can be named anything you would like)

for htpasswd: (-c is for creating a new file only)
$htpasswd -c .passwords newuser
then you enter the new password...

for DBM Hash: (adduser is for creating a new file)
dbmmanage .passwords adduser newuser
then you enter the new passwords

To add more users later:
htpasswd .passwords anotheruser
dbmmanage .passwords add anotheruser

Now goto the directory you want to protect and create the .htaccess file...

Within the .htaccess file, for 'htpasswd' style:
AuthUserFile /big/dom/x?????/.protect/.passwords
AuthName "Restricted_Users"
AuthType Basic
require user newuser anotheruser (etc...)

for 'DBM' style:
AuthDBMUserFile /big/dom/x?????/.protect/.passwords
AuthName "Restricted_Users"
AuthType Basic
require user newuser anotheruser (etc...)

As you can see - the above is not that hard, but also there is really not any good documentation to do it either... I myself had to figure out proper passwording techniques...

I primarily use a Modified 'DBM' combined user/group hash for the areas I protect... It takes a bit more effort as the syntax to do so is more exacting and requires you to write your own custom database manager/injector...

The above is readily available to you though utilizing either the 'htpasswd' or 'dbmmanage' program...

As for the 'external' link - that is going to require that you interface with the card authorization company and as such, is outside of our realm... They should be able to guide you with the interface, as all the programming tools are available to you within the FutureQuest server... e.g. Perl DBD::DBI modules, Python tools, AuthMySQL Apache module, PHP3, etc... You are only limited by your own creativity...

Hope this helps...

--
Terra
sysAdmin
FutureQuest

***I really do need to bite the bullet one day and either code the GUI interface, or write a darn good howto on it...***

Any volunteers to rewrite the above into non-techno babble for FutureQuest User Manual inclusion???
Thanks!!!

------------------
www.FutureQuest.net (http://www.FutureQuest.net)
--FutureQuest goal: (10x+8)/(x+1)=9.99--
--The best way to predict the future is by inventing it--

[This message has been edited by ccTech (edited 12-30-98).]

hehehe -- Hiya Del... http://www.aota.net/ubb/wink.gif

--
Terra

------------------
www.FutureQuest.net (http://www.FutureQuest.net)
--FutureQuest goal: (10x+8)/(x+1)=9.99--
--The best way to predict the future is by inventing it--

Oh yeah Del, one more thing...

Today Deb and I learned that,

1 + 1 + 3 + 2 == FutureQuest

We had witnesses too!

--
Terra

Terra -- I was told a couple of minutes ago that it's called a "merger"

hmmm should we make that server news?

Deb

thanks for the help. whats with the math?
somebody did a group wedding?

I don't know, now. Maybe it it an advanced development!

------------------
Julie

http://www.splitangels.org

Possibly integration <grin>


I will be posting in server news in just a moment to explain Terra's Math Tricks http://www.aota.net/ubb/smile.gif

Deb

LOL Yikes!!!

I am a bit curious witht he math myself, I think I understand most of it..... but.....

Ugh the 'i' word hehehe

------------------
Julie

http://www.splitangels.org

DBD:*smiley*BI eh? Is that some new module you've built that you've not told the rest of us about?

Del

It's a *happy* module - that I custom coded just for this day...

Just plug this puppy, right into your program and you'll unleash the full power of the internet... http://www.aota.net/ubb/smile.gif

Be forewarned, it's been know to fry Windows 95/98, only Linux has been able to handle it's sheer raw power of capability... http://www.aota.net/ubb/biggrin.gif

--
Terra
sysAdmin by day
coDer by night
human anytime else
FutureQuest.net

------------------
www.FutureQuest.net (http://www.FutureQuest.net)
--FutureQuest goal: (10x+8)/(x+1)=9.99--
--The best way to predict the future is by inventing it--

[This message has been edited by ccTech (edited 12-30-98).]

Terra,
I've printed out all of the doc's listed here in the Forums and I'll write an easy to read document for you. If you could send me an e-mail with any other information I might need that would be appreciated (also attach a .htpasswd file and any other applicable files)

------------------
www.webauthorities.com (http://www.webauthorities.com)
"To continue press any key"...Where's the anykey?

Thanks Mike,

With the dynamics of protecting content - it's really difficult to write docs on how to do it... What I gave above is the standard way of protecting things... One of the things I've been working on is using an Apache module (mod_AuthMySQL) which is mated with the MySQL backend... I plan on building the CNC interface around this, to where you can point and click your way through it...

To be quite honest -- there really wasn't any good docs around, and I had to dig out information, just to get the basics of it... Now that I've been doing it for a long time, it's second nature to me - yet I understand that many are at where I was, when *I* was scratching my head about it... The ultimate solution is to provide the GUI interface, and provide documentation for those that need a more custom approach... The latter half would possibly have a better clue for what they are doing though, and only need to know the 2 different styles and programs to control it... The wildcard is the 'combined user/group' DBM Hashes, for which I've setup the server to handle - but requires custom written programs to administrate...

Wow -- did the above get long-winded?!?!?!?! *sigh* I hate when I get that way - do you get the feeling that I'm not 100% sure, the way to explain it... Call it an unfortunate side-effect of reading 1 tooooo many 'man' pages in my lifetime... To read - I consume, To write - I stumble... http://www.aota.net/ubb/frown.gif

I guess what would help is to start creating an outline and fill in the blanks from there...

1) The programs used
htpasswd
dbmmanage
2) 3 styles of password databases (with 4th on the way)
plaintext
DBM Hashes
DBM Hash w/combined user/group records
MySQL controlled authentication (CNC destined)
3) password directory
Telnet in and create one in your '/big/dom/x????' directory, e.g. /big/dom/xacme/.protect
4) directory to be passworded
/big/dom/xacme/www/sensitive
5) content of .htaccess file
as shown above for the 2 main styles
6) controlling with realms
a realm is a ticket that you authenticate against... eg. you have 2 dirs protected 'sensitive' and 'eyesoff'... within the .htaccess for both directories if you have both directories protected with the AuthName 'Restricted' and have validated with the correct user/password - then you can access both directories *without* having to re-authenticate...


Eeeesh - it's no wonder you can't find any good documentation out there regarding this -- in practice it's easy once you understand it - but trying to explain it - is a totally different matter...

I hope this get's the ball rolling on this subject... Once again - thanks Mike for stepping up to bat on this!...

--
Terra
sysAdmin
FutureQuest

I've tried to do some reading about different ways to password protect, but I'm stumped.
What I would like is to protect several pages such that the user only needs to authenticate once (or at most every few months).

I know I could set a cookie, but then I would need to have every page, even static ones check for a cookie. I think there should be someway to do this with .htaccess but can't really find it.

Look on aota.net and there is something nice and short there.
Or at http://www.apacheweek.com/features/userauth

I don't remember seeing how to do a certain
file,
but of course you can put the file in a
protected directory . . .

I used this to protect my stats and links admin
dirs.

Good luck,


ch

I probably wasn't clear, but I don't want to bother the users with a password every time they access the site, just the first time. _That's_ what has me stumped.

The only way I know how to do that would be using a cookie, either with JavaScript, Perl, or Php... in fact, with php it can all be contained within the protected page itself.

As for using Basic authentication, this would need to be validated each session.

If you use the cookie method, I'd strongly suggest having a "logout" button so that if a user is at a friend's house they can clear the cookie (or at a public kiosk or school, etc).

With Basic authentication you can save your password where you only have to click "Ok" each time - not having to actually retype it.

Hope this helps.

<edit>
Well I just gave myself an idea http://www.aota.net/ubb/on.gif - why doesn't the UBB have a "Logout" button? It took me forever to get rid of Jed a couple of weeks ago because his username/password kept popping up in the input boxes - and lots of people share computers.

I'm adding that to my "To do" list right now http://www.aota.net/ubb/smile.gif
</edit>

------------------
Justin Nelson
FutureQuest Support




[This message has been edited by Justin (edited 04-17-99).]

Well, here I am on the same topic 11 months later.
I've dropped the credit card function, but I definitely
require passwords.

The good news is that now I understand the original
answer about htpasswd and DBMhash. When I first read
the answer it looked like

&quot;blah blah jbroder blah blah blah jbroder blah&quot;

Anyway, I am ready to do one or the other for passwords,
but I have one question.

I want to password protect a script that puts a new html
file in a directory. Each user has his own directory. The name of the directory is the same as the username.

Once the user has logged in, how do I pass the username from htpassword or DBMhash to the form that makes
the html files (thus ensuring it gets in the right
directory)?


Thanks for all the help over this year.

Jon

------------------
guitartricks.com