[NH] Re: members' only area
- Jody (10:16 AM 11/16/1999) wrote:
>>> This is not true of all sites but it does happen and youYIKES! :)
>>> should check out your server before doing this.
>> This depends on the server configuration...
>> If this happens on your hosting service, then it's a huge
>> security hole. You should bring it up to your site admin or
>> tech support folks and have them configure the server to not
>> allow directory browsing.
>I just had them turn it on for me *on* mine, but not allow to get
>to my parent folder.
Well, the problem with it Jody is that while it can be seen as a
convenience when you just wanna drop files into a folder and point someone
to the subdir, it's easy to forget that it's there.
I have a lot of nooks and crannies on my site that I really don't want
people in. Things like SQL admin pages, the source code for my search
engine, index files and archives for things, SQL table dumps, source for an
NNTP ripper, etc.
Remember also that depending on the rest of the server config, it may be
sensitive to finding "index" (or "default") .html, .htm, .shtml, .htd,
.htdl and others in a directory. This can become a can of worms if someone
wanders into a directory.
Once you allow someone to walk around your site, you're opening doors for
people to find things that they may think they want. If they even _think_
they want it, they will get it.
Be careful out there... :)
- Hi Mark,
>> I just had them turn it on for me *on* mine, but not allow toI understand all that, but *for me* everything I have on my site
>> get to my parent folder.
> YIKES! :)
> Once you allow someone to walk around your site, you're opening
> doors for people to find things that they may think they want.
> If they even _think_ they want it, they will get it.
> Be careful out there... :)
I have it there for people to get - I don't put anything on the
web - even under a password protected area - that I would not
want them to have. (Not that I have one - use to use Gatekeeper
for fun, but took it down.)
The NoteTab and Html List...
>From: chrispye@...Remember also to add to your root directory the file "robots.txt" to
>Subject: [NH] members' only area
>I want to create a 'members' only' page on my website
>From: "Grey Cat" <greycat@...>
>easier solution is to just give the name of the page to those who are
>allowed on it. i.e. wanttoknow.com/secrets.html
>From: Jody <KJB1611@...>
>You need to go cgi or the like for good security.
>From: Mark Pulver <mpulver@...>
>You should bring it up to your site admin or tech support folks and have
>them configure the server to not allow directory browsing.
disallow private directories: if you write the file "secrets.html" I guess
you don't like a link on AltaVista... even if the file is password protected.
To avoid directory browsing it's enough to put into it an index.html file
pointing elsewhere with a META redirection. BTW, the file "default.htm" is
a standard only on NT servers...
If your provider use Apache you can do a lot of interesting things with a
directory: for example, you can hide some files from browsing, leaving
visible other files.
I suggest you to download Apache server (it runs even on Win95!).
You can run it locally at the address http://localhost (there is a way to
add local web addressess, but it's out of topic here) and you can
experience everything you need *before* to put online your stuff, even CGI,
counters and so on.
I use it to "teach Internet" without the need of a modem.
Another solution can be a FileMaker 4.x server: the database can track
users and passwords, giving a very personal access to visitors, and there
is no need of CGI. Moreover, the same file can be used on Win and Mac.
Hope this helps!
unofficial personal page: