: How to avoid basic authentication warning when using protected directory? I used cpanel on my hosted site to set up a password protected directory to allow downloads of specific files. I send
I used cpanel on my hosted site to set up a password protected directory to allow downloads of specific files.
I send people a link to the file by email and include their username and password so they can authenticate and download the file.
When people use IE there is a warning message:
Warning this server is requesting your username and password be sent in an insecure manner...
This server is Apache. How can I stop this messsage appearing? Will SSL stop it? I would prefer to not have to use SSL.
More posts by @Connie744
3 Comments
Sorted by latest first Latest Oldest Best
Either use SSL or switch to digest authentication. HTTP has supported digest authentication since HTTP 1.1, and pretty much all contemporary browsers (hopefully by now even lynx has added HTTP digest) support digest authentication. It's no more difficult to implement or any more taxing on the server or client, so there's really no more reason to continue using basic authentication.
It's sad that cPanel and so many other web hosts' control panels still default to basic authentication for whatever reason, but most cases (one of my few gripes with DreamHost is that they still default to basic authentication for SVN repos, and there's currently no way to change it manually) you can easily set up digest authentication on your own.
You just need to use htdigest to generate a password file and change the .htaccess configurations to:
AuthType Digest
AuthDigestDomain /private/
AuthDigestFile /path/to/.password_file
All the other HTTP authentication directives remain the same.
Yes, SSL is the answer. Without it their login and password are sent in plain text which is insecure. SSL encrypts their login information so it is secure from eavesdroppers.
This username and password are being sent in plain text over the network connection so it's vulnerable to packet sniffers like wireshark. As the wiki says:-
Although the scheme is easily implemented, it relies on the assumption
that the connection between the client and server computers is secure
and can be trusted. Specifically, if SSL/TLS is not used, then the
credentials are passed as plaintext and could be intercepted.
So you would have to use some form of of SSL to prevent the warning from appearing.
All that said, for very basic security I use a program called Coffee Cup Website Access Manager which generates .htpaswrd files and and uploads them to a webserver and I've never experienced (or had a client experience) a security warning like the one you refer to.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.