Hi all

Its been some time since I've protected a folder on my server, it seem not to work for me
I've been at it for hours, The protect box pops up, I put in my user and pass and I get 500 error
logs say AH01620: Could not open password file: /etc/apache2/.htpasswd

I've tried all types of ways and viewed many links, even went back over my own records and I just cant seem to get it going.

Can any one point me to a link that will explain and work, I'm using Ubuntu 14.4 server

added the below to my apache 000-default.conf file

I found away to do it

https://www.youtube.com/watch?v=o6q374gtNVg

seems simple enough, thou it don't work with phpmyadmin folder

cheers

You can use phpmyadmin's config file in order to password protect it.
Open config.inc.php and add/edit/comment out the following:

Cheers for that bathory

Is there another way other than using cookies, it's just I run Ccleaner every night and it remove's my cookie's will that make a difference ?
Couple of years ago I used a .htaccess with IP, my server sits right next to me..

cheers

In addition to phpmyadmin's built-in security, I also put it behind an apache auth security, so that the first page requires web login before even presenting the phpmyadmin login.

And no, removing cookies won't affect phpmyadmin's security, but they must be enabled in the browser for it to work. The software creates new session cookies every time, and (I think) removes them on logout anyway.

Oh! for ...check the permissions on the /etc/apache2/.htpasswd -- my equivalent is owned by root and is chmod 644...although the .htpasswd file should be in the folder being protected, which wouldn't usually be in /etc/apache2, but in a folder in the DocumentRoot of the web server.

As scasey said, the cookies expire when you leave phpmyadmin, so there is no problem if you delete them.
You can replace in auth_type 'cookie' with 'http', resulting in http authentication but using the credentials of mysql users.

AFAIK if you want to use the webserver http authorization through .htaccess and a password file, you must use auth_type 'config' and supply also in config.inc.php the mysql root/password in plain text!!!

An even stronger level of protection can be obtained by using mod_ssl "in reverse," so that the supplicant must himself possess a properly-signed certificate in order to access the location(s).

Not exactly. I'm suggesting the auth_config in apache...nothing to do with anything php-based.
The password is encrypted and stored in a file not directly accessible from the web...with the location in the .htaccess file -- or, better, in the httpd.conf file. See the apache documentation.

You misunderstood me.
What I've said to OP, is that if he wants to use the apache way, i.e. protect the folder with htpasswd, he must then supply the username/password of the mysql user in the phpmyadmin config file in plain text.

Of course the apache password is encrypted by htpasswd, but the mysql password is written in plain text in config.inc.php!


Regards

I'm sorry...I don't agree. The mysql password is stored within the mysql database...encrypted. There is no userid or password in config.inc.php...at least not in my very secure installation of the tool.

My configuration uses "the apache way," as you've described, with a userid and encrypted password in a file in /usr/webauth (which directory and file is defined in the .htaccess file in the phpmyadmin directory). It is not the same userid or password that mysql uses (although it could be)...it is merely an apache auth to require login to even see the login page for phpmyadmin...it doesn't log into mysql automatically.

The OP commented that it didn't work with the phpmyadmin folder. I'm saying it should. The OP needs to review the Apache documentation to which I previously posted a link.