Password protected web pages

Unobvious URLs

Create a document or directory with an obscure (not easy to guess) name and do not have any links from your site to it.
For example: http://somedomain.com/xiy83HZ.html or http:/somedomain.com/diu39Qa/
Give the 'secret' URL out to only people who you want to access the page or directory. Or use a form or javascript to check for a 'password' and then redirect to that obscure URL.
This is NOT security! but can be used to obscure things that do not require real security
Pointed out at the meeting (Thanks Duane): The obscure filename only remains obscure if the directory it is in is prohibited from giving a file list when the directory name is used as the URL. To prevent a file list be sure to include an index.html file in that directory that will load by default if just the directory name is the URL. Another way (on an Apache web server) is to create a (hidden) file called '.htaccess' in or above the directory of concern. On a separate line in that file place the command:
Options -Indexes

Basic authentication / htaccess

Many resources on how to use, here is a few:
- http://www.apacheweek.com/features/userauth
- http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html
- http://hotwired.lycos.com/webmonkey/html/97/08/index2a.html
- http://www.w3.org/Security/faq/wwwsf3.html
  The above link refers to a set of PERL scripts that will automate management of users/passwords using this method of authentication (http://stein.cshl.org/~lstein/user_manage/)
- My outline for discussion at the SIG
Widely supported by web servers (NCSA, Apache, ...)
Control access with username/password
More secure, but still not very secure:
- username/password is sent over internet in clear text (uuencoded) each time a 'protected' page is requested and can be read by packet sniffers.
- The username/password are also encrypted if used with SSL (solving the problem with packet sniffing), but serving all your pages through a secure server is much slower [is this correct???] if this level of security is not needed for your content.

Home grown - cgi

Write (or find) a script (perl, c, etc...) to validate username/password. All requests for 'protected' pages go through a cgi script and the pages are served by the script. Links to your pages something look like:
http://somedomain.com/cgi-bin/redirect.cgi?link=aPage.htm&user=dcv&pass=D8*i!w

OR

http://somedomain.com/cgi-bin/redirect.cgi?akDiir.v8i395635fv#c9i9889er

the script decodes and serves up the correct content. Username/password is encode in the URL or saved in cookies.
Security ??? Security here probably depends on how well the script is written. [Comments here???]

Built into web server software (eg. Cold Fusion)

security ?? [How secure is this???]

SSL

quite secure, but slow? [Correct???]

Other???

Duane's contribution to this subject (thanks Duane!):

           I had several links bookmarked on the topic of password-
          protecting web sites. These topics were covered in
          December's presentation by Dave. I'll list them here,
          in addition to those he's posted.
          
          
          ** These pages cover web-based user authentication using .htaccess
          http://www.psoft.net/htaccess.html
          http://mirage.golden.net/htaccess.html
          http://jdurand.home.cern.ch/jdurand/htaccess/htaccess.html
          http://bignosebird.com/passwd.shtml
          http://ftp.arl.mil/~mike/access.html
          http://www.eclipse.net/webmaster/password.html
          http://www.barmaton.nl/help/htaccess.html
          
          
          ** CGI script discussed here handles a common problem: allowing
             users to `register' themselves to access a controlled directory.
          http://www.stonehenge.com/merlyn/WebTechniques/col05.html
          
          
          ** The .htaccess file has other useful functions.
          http://www.baremetal.com/gadgets/htaccess/
          http://www.eclipse.net/webmaster/htaccess.html