Services  |  Support  |  Account Admin  |  Contact Us  |  Site Map

You can use this feature to automatically allow access to a password protected area on your site. The purchaser selects a login name and password to access the area. When allowing access, you have the option to: specify what length of time they should be allowed access, use groups to specify a level of access, and charge for payment.

• Implementation
• Managing Passwords
• Non-Store Options

Note:

This feature is only available to customers on our Apache servers. Please contact us to move your site or confirm that your site is on an Apache server. For documentation on the CERN password protection scheme, please click here.

Implementation

1. Create a directory to protect
2. Create a blank password file
3. Create a "www_htaccess" file
4. Specify password protection
5. Specify groups (OPTIONAL)

Create a directory called "protect" as a subdirectory of your site's "http" or "https" directory.

Thus the full path to your "protect" directory will be similar to:

2.  Create a blank password file

This file should be inaccessible to Web browsers. We suggest you place it in a directory called "passwords" under your site's "control" directory.

Thus the full path of your password file will be similar to:

3.  Create a "www_htaccess" file

This file specifies which users can access your protected directory. Place this file in the directory you wish to protect.

Example "www_htaccess" file:

  AuthType Basic
  AuthName Pictures From Germany
  AuthDBUserFile /www/sites/rocketshop/control/passwords/germany
  AuthDBGroupFile /www/sites/rocketshop/control/passwords/germany
  <Limit GET>
  require valid-user|group groupName[ groupName]*
  </Limit>

  Please Note: Following an upgrade to our Apache servers
  which is happening on September 27, 2000, the information
  in the "AuthName" field must be quoted, similar to the
  following:

  AuthName "Pictures From Germany"

  Existing "www_htaccess" files will be modified automatically
  during the upgrade.

• AuthType Basic

  Specifies that the standard type of password checking should be done.

• AuthName DESCRIPTION

  Specifies the name of password protected area. The description is shown to the user when a password is requested from the user. You should change this as appropriate.

• AuthDBUserFile PASSWORD_FILE

  Specifies the location of your password file. Modify this to replace "PASSWORD_FILE" with the full path and filename of your password file.

• AuthDBGroupFile PASSWORD_FILE

  Not necessary unless you are using groups. If you are using groups, "PASSWORD_FILE" should be the same as that used for the "AuthDBUserFile".

  See Specify groups for additional details on groups.

• AuthDBGroupFile PASSWORD_FILE

  Specifies the location of your password file. Modify this as appropriate.

• require valid-user|group[ group]*

  Specifies which users or groups are allowed access to this file. If you are not using groups, the line should be:

  require valid-user

  If you are using groups, the line should state "require group", followed by a list of all the allowed groups on the same line, separated by spaces. For example:

  require group bronze silver gold

  See Specify groups for additional details on groups.

4.  Specify password protection

In the "holostore" command in your Instant Store Page, use the "-a" option and specify: the location of the password file, minutes of access allowed, and the URL of password protected area:

{holostore -i pictures -d "Pictures From Germany"
-p 29.95 -a /control/passwords/germany 60 http://www.yourdomain.com/protect/pictures/}

Note that the access time limit defaults to minutes, but you can use "h", "d", and "w" at the end of the access time limit as shorthand for hours, days and weeks respectively. For instance "60" alone as above will allow access for 60 minutes, while "60d" would allow access for 60 days.

5.  Specify Groups (OPTIONAL)

Use the "-g" option to specifiy groups that the purchaser will become members of.

This option can be used to specify a level of access. For example, suppose your store sold panoramic pictures from Germany, with two pricing options: Silver and Gold. Silver is less expensive, but Gold gets access to additional pictures as well as the pictures that Silver users have access to.

On your InstantStore Page, you would have have at least two "holostore" commands, one with the option "-g silver", one with the option "-g gold", and in your protect directory you would have two directories, the "silver" directory and the "gold" directory:

{holostore -i silverPics
-d "Pictures From Germany: Silver Access" -p 29.95
-a /control/passwords/germany 60 http://www.custom.com/protect/silver/
-g silver}

{holostore -i goldPics
-d "Pictures From Germany: Gold Access" -p 59.95
-a /control/passwords/germany 60 http://www.custom.com/protect/gold/
-g gold}

require group silver gold

The gold "www_htaccess" would have the line:

require group gold

All the other lines in the two files would be identical. This would allow Silver or Gold users to have access to files in the "silver" directory, while Gold users would have access to the files in the "silver" directory and the "gold" directory as well.

If you also wanted to sell upgrade packages from Silver to Gold, you could have another "holostore" command with the option "-g gold silver". This would require that users purchasing this item must already be a member of the group Silver and would give them access to the Gold group when purchased.

{holostore -i goldUpgrade
-d "Pictures From Germany: Upgrade to Gold Access"
-p 30.00 -a /control/passwords/germany 60 http://www.custom.com/protect/gold/
-g gold silver}

Presumably it would be priced as the difference between buying Gold access and buying Silver access.

Managing Passwords

The password file is a binary database file (standard DBM5 format).

There is no real need for manual password management if you are setting an access time limit for your passwords.

When a password expires, the login name that was linked to will be freed up for someone else to use. The binary password file will maintain records of all passwords that were ever created on it, but the only the active passwords will be valid.

The "hspasswd" command is a utility for manually managing your passwords. You must have Webmaster Access to use this command.

Once logged into the Webmaster shell, type the command as follows without any arguments, and the command's usage information and options will then be displayed :

	/www/shell/bin/hspasswd

A complementary text file is automatically created when the first password is set. This file mirrors the contents of the binary password file, in readable text characters, but passwords are obscured.

Any changes you may make to the binary file will not be made automatically to the mirror text file, but the "hspasswd" command has an option to "clean" the files.

Non-Store Options

If you are not going to be charging for access to the protected area of your site and are going to manually set up and manage all passwords yourself, there are two options for setting up password protection.

Option A

• Perform steps 1 through 4 as described above (and step 5 if you are using groups).
• In the "holostore" command in your InstantStore Page, use the "-nocard" option. When this flag is present, the customer is not asked for any credit card information or for a billing address.
• Call your InstantStore Page and use the InstantStore to set up your password(s).

  When you are done, to prevent unauthorized persons from setting up passwords, we recommend that you move your InstantStore Page to your "control" directory. Whenever you want to set up any new passwords, you can move it back to your "http" directory.

Option B

• Perform steps 1 through 3 as described above. Be sure to do them in order.
• Set up and manage your passwords using the "hspasswd" command.

  Using Option B requires that you have Webmaster Access to manage your passwords, whereas Option A does not.