20 replies to this topic

[oscbeginner99]

I have used my Hostgator cpanel to password protect the admin directory.

This evidently does not work. I cannot login.

After lengthy effort from the host, they finally removed password protection from the admin directory
so that I can login.

What options are available to secure 2.3.1 version?
Are procedures different from the older versions?

Thank you in advance

[toyicebear]

2.31 has a "build-in" htaccess password system for admin...

Go to "Administrators" in your shops admin .. and follow the instructions given there

[oscbeginner99]

toyicebear, on 09 April 2011 - 05:30 PM, said:

2.31 has a "build-in" htaccess password system for admin...

Go to "Administrators" in your shops admin .. and follow the instructions given there

Thank you for you response. I now have look at the Administrators Area and see:

The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:

   " /home/zappersu/public_html/catalog/admin/.htaccess
    /home/zappersu/public_html/catalog/admin/.htpasswd_oscommerce

Reload this page to confirm if the correct file permissions have been set."

I must be missing something simple, but I do not see the files in the admin directories.

Do I have to create them some how?

[toyicebear]

Not in the shops admin, go to the file manager in your hosting control panel there you should be able to see them and set the correct permissions.

[oscbeginner99]

toyicebear, on 09 April 2011 - 06:12 PM, said:

Not in the shops admin, go to the file manager in your hosting control panel there you should be able to see them and set the correct permissions.

Yes, I am looking through the cpanel and do not see those 2 files in the admin folder.......

[Xpajun]

Brad, you should be able to use your cPanel to password protect the admin BUT user name and Password MUST be the same as your admin login

[oscbeginner99]

Xpajun, on 09 April 2011 - 07:33 PM, said:

Brad, you should be able to use your cPanel to password protect the admin BUT user name and Password MUST be the same as your admin login

That is very interesting.....I would have thought that you should use a different pass and user.
But what about changing the permissions on the files that I can not see?

1. public_html/catalog/admin/.htaccess
2. public_html/catalog/admin/.htpasswd_oscommerce

[Xpajun]

oscbeginner99, on 09 April 2011 - 08:35 PM, said:

That is very interesting.....I would have thought that you should use a different pass and user.

Yes it is - many others have voiced the same opinion - tell the core coders     

If you manage to get the osC .htaccess protection working that is exactly what it will do - produce .htaccess protection with the same username and password

oscbeginner99, on 09 April 2011 - 08:35 PM, said:

But what about changing the permissions on the files that I can not see?

1. public_html/catalog/admin/.htaccess
2. public_html/catalog/admin/.htpasswd_oscommerce

In your cPanel file manager do you have a check box to show hidden files?

[oscbeginner99]

Xpajun, on 10 April 2011 - 07:51 AM, said:

Yes it is - many others have voiced the same opinion - tell the core coders     

If you manage to get the osC .htaccess protection working that is exactly what it will do - produce .htaccess protection with the same username and password




In your cPanel file manager do you have a check box to show hidden files?

Thank you Xpajun,
I was not aware that these would be hidden files. Thank you very much...now I changed these to 777 and I hope
that this is correct.

[peteravu]

oscbeginner99, on 10 April 2011 - 08:09 PM, said:

Thank you Xpajun,
I was not aware that these would be hidden files. Thank you very much...now I changed these to 777 and I hope
that this is correct.

Why must they be writable after changed? when change back to 655 it again says "the following files need to be writable by the web server to enable the htaccess/htpasswd security layer:" but 655 must be better than 777? So now I have 655 and have to login 2 times, that must be more secure than 777 right or not?

[ShallonCimelus]

Can someone tell me the proper permissions for the two .htaccess file? I must be missing something...

I keep getting:

Error Additional Protection With htaccess/htpasswd
This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.
The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:
	/home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htaccess
	/home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htpasswd_oscommerce
Reload this page to confirm if the correct file permissions have been set.

I've removed the .htpasswd_oscommerce file
Within my control panel I've added a username and password (same as admin) for my admin folder.
I've also tried a ton of different permission combinations and no luck...

[peteravu]

ShallonCimelus, on 04 October 2011 - 09:50 PM, said:

Can someone tell me the proper permissions for the two .htaccess file? I must be missing something...

I keep getting:

Error Additional Protection With htaccess/htpasswd
This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.
The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:
	/home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htaccess
	/home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htpasswd_oscommerce
Reload this page to confirm if the correct file permissions have been set.

I've removed the .htpasswd_oscommerce file
Within my control panel I've added a username and password (same as admin) for my admin folder.
I've also tried a ton of different permission combinations and no luck...

It works if you change to 777

[ShallonCimelus]

peteravu, on 05 October 2011 - 08:10 PM, said:

It works if you change to 777

Yeah I've tried that before and nothing. I'll leave it for a few hours and see.
I've also cleared my browser of all files, different browser and different computer and still the same issue.

Anyone have another idea?

TIA

[ShallonCimelus]

A day later and still no change.

Anyone have any other ideas?

[kymation]

You cannot use your host's control panel to set the .htaccess protection unless you remove all of the access protection code from the osCommerce admin. Remove the protection in your host's control panel, restore the file you deleted, set the permissions as instructed in your Admin, and follow the rest of those instructions.

Regards
Jim

[peteravu]

Why must they be writable after changed? when change back to 655 it again says "the following files need to be writable by the web server to enable the htaccess/htpasswd security layer:" but 655 must be better than 777? So now I have 655 and have to login 2 times, that must be more secure than 777 right or not?

[Taipo]

I guess it will allow you to change your password in the future?

666 is generally the writable setting for files.

[ShallonCimelus]

SOLUTION!
So after messing with the permissions more, I got a 500 Error and was no longer able to access the admin side of osCom. I deleted everything and started completely fresh.

Installation completed, no issues. Go into the admin and get the following error:

Error Additional Protection With htaccess/htpasswd
This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.
Enabling the htaccess/htpasswd security layer will automatically store administrator username and passwords in a htpasswd file when updating administrator password records.
Please note, if this additional security layer is enabled and you can no longer access the Administration Tool, please make the following changes and consult your hosting provider to enable htaccess/htpasswd protection:
1. Edit this file:
/home/zzzz/public_html/catalog/zzzz/.htaccess
Remove the following lines if they exist:
##### OSCOMMERCE ADMIN PROTECTION - BEGIN #####
AuthType Basic
AuthName "osCommerce Online Merchant Administration Tool"
AuthUserFile /home/zzzz/public_html/catalog/zzzz/.htpasswd_oscommerce
Require valid-user
##### OSCOMMERCE ADMIN PROTECTION - END #####
2. Delete this file:
/home/zzzz/public_html/catalog/zzzz/.htpasswd_oscommerce

This time; I clicked on my admin user > edit > put in same password and checked the protect with .htaccess > save.
Refresh pop-up comes up, input login info and error is gone!

The first time I just checked "protect with .htaccess..." and did NOT put a password in, because it says "New Password". I believe that was the root of all my issues.
I read the directions several times and they are a little lax with this one step. I would recommend adding a little more to say "insert same password in the 'New Password' field and check the protection" for those like me that thought the original password would stay if left blank.

,htaccess and .htpasswd_oscommerce are in my admin dir with permissions 644.

Thank you all for your help.

Edited by ShallonCimelus, 07 October 2011 - 01:34 PM.

[JoeBaker]

Hello.

I am having the problem described here, so I have been stepping through the advice given. I found the checkbox for hidden files, changed the permissions for the two .htaccess files, selected password protect from within filemanager and then got the same error message as ShallonCimelus. Only when I put in the same password I was no longer able to access the Administration Tool. I followed the instructions to delete the one and modify the other .htaccess file, which resulted in the original message.

I'm going around in circles and getting frustrated.

Before I found the checkbox for hidden files, I found a password protect thingy on the control panel and used it to password protect the admin directory. Although it doesn't seem to be working, there doesn't appear to be a way to unpassword protect the admin directory. Could it be preventing me from doing it the .htaccess way?

Should I delete the admin directory and reupload it from my local drive to try again, or is there something very simple and obvious that I am overlooking?

Joe

[JoeBaker]

Hello.

I was able to solve my problem.

The information I needed was in Jim Keebaugh's post. First I figured out how to unpassword protect the admin from cpanel. Then I changed the permissions on both the .htaccess files and the admin directory. Then I used the security feature in Admin. This time there was a checkbox along with the request for a "new" password. I supplied the same username and password and checked the checkbox. It worked.

There are so many seemingly insignificant ways one can get things wrong while trying to get them right. The process for undoing password protection is an example. I watched the instructional video supplied by cpanel that showed the process for creating password protection. It didn't show how to undo it, so first I tried undoing it in the same sequence as doing it. That didn't work. But when I tried undoing it in reverse sequence, it did work!

There seem to be two competing methods for password protecting the admin. One calls for using cpanel, one for using admin. It can be tricky figuring out which method is right, and even more tricky to back out of the method that is wrong. Knowing that I needed to use the same password, not a new one, and that I had to change the permissions for the admin directory as well as for the .htaccess files was key, at least for me.

Joe