I ran into a problem last night that I don't recall ever stumbling across before. Using the CNC's File Manager, I set up password protection of a directory. Later, I went to password protect another unrelated directory with the same user/password combo. I first tried the default New User option and entered the user/password, but I got an error saying that user already exists. So, I went back and tried selecting that already existing user from the dropdown box and entering various combinations with or without the user and/or password specified, but nothing seemed to work. The only method I could get to go through was to select the user from the dropdown list and enter no username or password in the form. However, that resulted in a 500 Internal Server Error when visiting the page being protected... :( Using the Change Password option in the CNC for that directory would not fix it.

Am I doing something wrong? The wording is very unclear [to me] what the process is for setting the same user/password that is used for another CNC-protected directory. Is this a new aspect of the File Manager password protection utility?

Dan

Hi Dan,

I have been trying to duplicate the problem you are describing, but I have not been able to.
To password protect another directory, I did;
select the directory,
click on the Password Protect button,
click on Add User,
select the existing user from the dropdown box,
click on submit
The password protection option has not changed in a while, so it's not a new aspect. I will be going over the code to see if I can find anything. If you are still having the problem or can reproduce it, it would helpful if you could let us know on which domain you're having the problem, so we can take a look at the password file and .htaccess file.

I will see if we can make the wording more clear to avoid any confusion.

Arthur

Thanks for looking into it.

If you are still having the problem or can reproduce it
I can reproduce it with 100% regularity. The only thing I cannot do is not reproduce it...

It's on abledesign.com. If I remove the user from that directory, it will apparently remove it from all other directories (not desirable). Is that the best thing I can do at this point?

The reason I asked if this is a new feature is because I don't remember ever seeing the user cross over between directories, although I'm not positive I've used the same user in multiple directories on the same account before.

Dan

Dan --

How about hitting it with a hammer? Telnet in to the directory in question and delete the .htaccess file and start again.

I assume I could also do that through FTP, but I'd rather know what I'm doing wrong for next time.

I like the hammer suggestion, though. :)

Dan

If it doesn't work, hit it with a hammer. If it still doesn't work, find a bigger hammer.

... and if that doesn't work, find a smaller nail.

Dan

Arthur, did you fix something? :confused: I went back to blast the CNC-created password protection out of the directories in question, but I double checked them first and what do you know, it's working fine now! I'm quite positive I didn't touch anything between when it last wasn't working and now...

One thing I found a bit odd was that it was a 500 Internal Server Error on a directory with nothing but PHP files. Aren't 500 errors specific to CGI, or is it also a general Apache (.htaccess) error?

Now if I only knew what made it not work and what made it subsequently work, I'd be a happy camper...

Dan

Dan, I think the problem was a pre-existing .htaccess file with one line in it, without a line ending.
The CNC was adding its code to the existing .htaccess file and it was messing up the first line of the file, it became something like;
php_flag ...### CNC_START: ...

I am working on a solution for it.

Arthur
-- Hammer time --

Ah, thanks for the explanation. Odd thing is, that .htaccess file is the same one used for that same directory on the account it was copied over from. However, it might be that I had CNC-protected the old account's directory before adding the .htaccess file to override register_globals. Can't say I remember the chronology...

When in doubt, add a line ending? :)

Dan

Either I'm really, really dense, or something iffy is still going on with this. I had two directories (still on abledesign.com) password protected with the same username, then I added a third one under that user and went into the CNC to password protect it. Thinking I had learned my lesson from last time, I selected the existing user and was surprised to see that, although the setting apparently took, no login is required when visiting that directory. Furthermore, the previously existing .htaccess protection on one of the other two directories (the 2nd of the two that had been set up) stopped working.

I looked at the .htaccess files in each of the three directories, and I don't really see what's wrong. One difference is that the 3rd directory has only the .htaccess file, not a .htaccess and .htaccess.FQsav file like the other two. They each contain the CNC password protect entries and appear uncorrupted, but there are a mix of the following two entries:

AuthUserFile /big/dom/xabledesign/.sys_opr_dir/CNC_Protect/.passwd
AuthUserFile /big/dom/xabledesign/CNC_Protect/.passwd

Everything else looks the same.

Any ideas? I can give you the specific directories privately, if that helps, but you can most likely figure them out pretty easily from your end.

Thanks,
Dan

Hi Dan,

I have taken a look at your account and I see 3 password protected directories in total and when I visit each of those I am being asked for a username and password.
So, everything appears to be working correctly. Maybe your browser had the password cached? Have you tried closing and restarting your browser and then visiting the directories?

The .htaccess.FQsav files can be safely deleted. Those files were created when Terra did the 'directory lockdown' (http://www.aota.net/forums/showthread.php?postid=80442#post80442). The CNC_Protect directory was moved into the .sys_opr_dir. All existing .htaccess files with entries pointing to the CNC_Protect directory were modified and a backup was made called .htaccess.FQsav.
The CNC will save passwords and modifications to the .password file in the new directory.

If you're still having problems, please send an email to the Service Desk with the names of the directories you're having problems with.

HTH,
Arthur

Hi Arthur,

Thanks for looking into it. Very odd that you didn't encounter any problems (reminicent of the start of this thread)...

Maybe your browser had the password cached? Have you tried closing and restarting your browser and then visiting the directories?
Yes, I tried that several times over several days on two different computers (thus waiting a few days to report the problem) and got the same no-login prompt each time.

Also, I didn't think it's possible for IE to cache .htaccess logins across browser sessions. I know you can choose to store the login info for future use, but the prompt still comes up each time (on new browser sessions) with the fields filled in for you.

When I check again this morning, however, directory #2 in the chronology asks me for the login again, but still nothing on #3 and now #1 doesn't, either, and that's the only one of the three that was working last night... %)

I guess you'll be getting an email from me shortly... :)

Dan

This absolutely is the behavior of IE and to see it, do the following:
Create two test directories
Protect both of them with a single, new username
Log into one via IE: have it save your username/password.

Point IE at the second directory: IE will let you in without prompting.

If you exit a session, then reload the browser, the first of >ANY< directory you go to with that user name, will come up with the dialog. After that, you'll get in without being prompted. Hence, the behavior you mentioned last.

Mozilla does this too, I think, but in any case I tried it in IE 6 under WinXP. :)

Paul and Dan,

I can confirm same behavior using Phoenix/Mozilla.

-Bob

I wouldn't have guessed that, thanks Paul. Knowing that's what is happening, I guess there's no harm to it, but it certainly is a source of confusion and probably not the most desirable behavior. Of course, that's probably the exact definiton of "Microsoft" in the dictionary. :P

Dan

p.s. As mentioned in response to FQ's reply to my Support@ message (uh, I think that's right), all 3 directories correctly prompt for login in Netscape 4.7x, so the password protection at least appears to be in place properly.

Dan, Paul,

This is not something restricted to IE, the majority of browsers will exhibit this behavior. It has to do with how basic HTTP authentication works.
All three of Dan's directories require the same user and use the same 'realm'.

Let's look at part of the .htaccess file the CNC creates;
AuthUserFile /full_path_to/.passwd
AuthName Protected_Area
AuthType Basic
require user someuser

If you access a directory with the above in a .htaccess file Apache will send a 401 Authentication Required header to your browser.

Here's what the raw HTTP conversation between your browser and Apache basically looks like;
Your browser:GET /protected_directory1/index.html HTTP/1.1
User-Agent: Opera/7.02 Bork-edition (Windows NT 5.1; U) [en]
Host: yourdomainname.tld
Apache:HTTP/1.1 401 Authorization Required
WWW-Authenticate: Basic realm="Protected_Area" Your browser will now ask you for a Username and a Password.
Your browser answers with:GET /protected_directory1/index.html HTTP/1.1
User-Agent: Opera/7.02 Bork-edition (Windows NT 5.1; U) [en]
Host: yourdomainname.tld
Authorization: Basic YXJ0ffKblahblahrc2Vu (The authorization response is encrypted by your browser). If the authorization matches the Username and Password Apache found in the .passwd file, it will now send the index file to your browser.

Along with the 401 response, certain other information will be passed back to the client. In particular, it sends a name which is associated with the protected area of the web site. This is called the realm, or just the authentication name. The client browser caches the username and password that you supplied, and stores it along with the authentication realm, so that if other resources are requested from the same realm, the same username and password can be returned to authenticate that request without requiring the user to type them in again. This caching is usually just for the current browser session, but some browsers allow you to store them permanently, so that you never have to type in your password again. This means that if you go to /protected_directory2/ and it requires the same user and uses the same realm, you will not be asked for the Username and Password, because you already supplied them when you visited /protected_directory1/ (provided you didn't quit your current browser session).
If you edit the .htaccess file in /protected_directory2/ and change "AuthName Protected_Area2", your browser _will_ ask you for your Username and Password again on your first visit to that directory.

You can find more information about Basic HTTP Authentication in the Apache documentation (http://httpd.apache.org/docs/howto/auth.html#basicworks).

I hope this explains the phenomenon you were seeing a bit better.

Arthur

I'm surprised the realm does not contain directory info... That would seem only natural, but maybe my brain doesn't work quite the same way as the Apache developers'.

I'm 99% certain that IE was asking me to log in separately (same browser session) to both of the previously protected directories. It only started doing the "one for all and all for one" thing when I added the 3rd directory. Of course, I believe it was the very same day that my Yahoo Mail account stopped logging me out every 8 hours, as is their stated policy. It doesn't log me out at all now, even if I keep it open overnight, which has never been the case before. Anyone else with a Yahoo Mail account that can confirm if this was a recent change in their setup? If not, my browser went extra goofy this week, and this time I have no Windows "Updates" to point the finger at...

Dan

Yahoo Mail ... doesn't log me out at all now, even if I keep it open overnight...
Oh sure, just as I post that it decides to log me out after almost exactly 24 hours, although the note still says it does so every 8 hours.

Dan

I just realized tonight at least part of the reason why I found the above so out of the ordinary. Using the same browser, one of my accounts exhibits the single login requirement for multiple same user/password setups, while another of my accounts does not. Both have password protection set up through the CNC utility, and there are no differences that I can think of. :confused: I knew it seemed different than what I remembered the first time it happened...

Dan