Hi

Im using opennms network configuration backup server called 'RANCID'.It run on top of RHEL5 system and
using APache.

Here's the link which i'm accessing

http://172.25.6.211/cgi-bin/cvsweb.cgi

But any one can access this URL and obtain my configuration files

I want to secure this using a logon page.allow login Only for the successful authentications by entering the predefined
username and password

But after get authenticate book marking the above URL still can access anyone since it didnt prompt username and password again

In eachtime executing the above url it should direct to authenticate page

Please be kind enough to give a way to implement this ?

tnx

Hi,

Why don't you use apache authentication, to prompt clients for username/password? It does exactrly what you want to achieve.

Regards

hi

I did what you mentioned.But still I have problems.
I access the web page using Morzilla Browser.Once Im log to the page entering the correct user name and password with the same Browser in different tab dont prompt for username/password I can access the page without username/password.

When I used IE browser things are different.Initially it'll prompt for username/password.After I entered correct credentials I can access the page without prompting username/password even using a new tab with same browser or new IE browser.

How can i overcome these.your responses are highly

tnx

Hi,

I cannot see any difference in the behavior of both browsers as you described it.
In fact this is the normal behavior. Once you've authenticated with username/password, the browser keeps those credentials for the duration of the current session. You can take look here for details
If you close and restart the browser the credentials are lost and you'll be prompted again to supply them on order to access the protected resource.

hi

tnx a lot for your reply.But I see the mentioned difference in both browsers.IE is less secure and even after starting a new IE don't prompt for username/password.These are the configuration I used.

vi /var/www/html/.htaccess

AuthUserFile /home/secure/apasswords
AuthType Basic
AuthName "Restricted Area"
<Limit GET POST>
Require valid-user
</Limit>

vi /etc/httpd/conf/httpd.conf

<Directory "/var/www/html>
Options Indexes Includes FollowSymLinks MultiViews
Allowoverride AuthConfig

Is there any mistakes which I have done or Is there any other alternate way ?

tnx

No. your web server configuration is OK.

You have to close all browser sessions that are currently running in order to clear the credentials.
If E still remembers passwords you can take a look here or here to see how to stop it from doing so.

Regards