# Best method to restrict Website Access



## Tabvla (Apr 10, 2006)

I have a requirement to restrict access to a website. This is a legitimate request as the company does not deal with the general public and therefore does not want enquiries coming in from the public. 

The company's hosting service provider uses a Microsoft Hosting solution. Folder password protection is available. The company does not want to use a database of authorised users but rather wants a simple solution where an authorised user will enter a password to gain access.

I have been reviewing the various ways that this can be achieved but cannot deterimine which is the best method. I have not had a request for this requirement before so I don't have practical experience with what works and what does not work.

I would appreciate guidance from web developers who have implemented a simple, workable and reasonably secure solution in a Microsoft Hosting environment. This does not have to be a Fort Knox solution, but should be robust enough to keep out the general public.

TiA

T.


----------



## haswalt (Nov 22, 2004)

Well your best bet (since you doin't want database method) would be to use the password protected directories. Just protect the main directory and the HTTP authentication protocol wil be activated whenever someone trys to access the site.

And example can be seem here: http://vfh2.voicesforhorses.co.uk/.

Regards,

Harry


----------



## Tabvla (Apr 10, 2006)

Hi Harry

Thanks for your reply.

I agree that the "Protected Directories" method is the simplest and most cost effective method.

In the "Protected Directories" method the login is implemented using a User Name and Password. A problem with this method in a Microsoft Hosting environment is that the Hosting Service Provider assigns a single User Name to a customer account to be used with all Protected Directories. Therefore if a customer has a number of restricted access websites the same User Name will have to be used with each, which in some circumstances may not be appropriate.

If we don't use either a database or protected directories, is there another method of limiting access to a website in a Microsoft Hosting environment?

Thanks

T.


----------



## haswalt (Nov 22, 2004)

Well i guess you could use a hard coded asp page that you just assign usernames and passwords in it by hand.

Not very elegent and easy to maintain and not sure how entirely secure it is.

Harry


----------



## Tabvla (Apr 10, 2006)

Like you say.... not elegant and not very secure...




T


----------



## leeuniverse (Jul 22, 2008)

That sounds dumb.... You telling me that in a MS hosting environ you can't .htpassword protect individual directory's? That doesn't make sense at all. That's a huge newbie limitation. MS couldn't be "that" limited is it?


----------



## Tabvla (Apr 10, 2006)

Hi Leeuniverse,



> A problem with this method in a Microsoft Hosting environment is that the Hosting Service Provider assigns a single User Name to a customer account to be used with all Protected Directories. Therefore if a customer has a number of restricted access websites the same User Name will have to be used with each, which in some circumstances may not be appropriate.


I have no idea if this is a limitation in MS Hosting. However, I have not yet found a Microsoft Hosting Service Provider that allows users to assign their own User Name to Protected Directories.

The user can of course assign a Password. But the User Name is provided by the Hosting Service Provider and is commonly a composite key which includes the user's account number. For example let us assume that the User Account Number is abc-12345-0 then the User Name assigned by the HSP for protected directories may be something like def-12345-1.

This may not be common practice throughout the industry but the HSP's that I have investigated all use a similar method when assigning user names to protected directories in an MS hosting environment.

T.


----------



## Caspian1 (Feb 7, 2008)

Yeah, have to agree that does sound like a pretty insecure way to approach protecting data. Al l you have to do is have one person give up the password and the whole world is in the protected area and then everyone needs to learn a new password.

If the area of the site is important - it could result in key personnel being locked out.


----------

