Announcement

Collapse
No announcement yet.

Password protected vbulletin folder via .htaccess requires two correct logins / entries of username and password to get in

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Bug / Issue] Password protected vbulletin folder via .htaccess requires two correct logins / entries of username and password to get in

    Has anyone created a password protected folder to keep people out of his vbulletin forum, for example, for a test forum? I mean completely out of the folder that has the vbulletin forum in it.

    What I am finding is that for such a situation where I use .htaccess such as with this sort of code:

    AuthType Basic
    AuthName "forums"
    require valid-user
    AuthUserFile "/home/________/.htpasswds/public_html/_______.com/forums/passwd"

    that anytime someone goes to the password protected directory he has to make two correct and complete entries of the username and PW to get in, which is annoying to say the least. The first entry just results in the Authentication Required prompt popping up again. Have tried it on different browsers, and had others try it, and even Godaddy and Hostgator where I have created these PW protected folders has noted the same issue. They say that is has something to do with that the first pass enters the folder, and then the second pass opens up the vbulletin software with its working CSS. That if this were just a plain Jane html website inside the forum that this would not be happening.
    Last edited by MDawg; Fri 4th Aug '17, 3:49pm.

  • #2
    Most likely caused by the redirects. Solutions would be to use the Two Factor Authentication added for Administrators and Moderators or to restrict access to the AdminCP and ModCP by IP Address using the settings in /core/includes/config.php.

    https://www.vbulletin.com/forum/arti...authentication
    https://www.vbulletin.com/forum/foru...-now-available

    I suspect the /AdminCP directory will be removed from new installs in the future. It is currently empty on new installations and isn't really needed anymore. The ModCP will also be removed when it is no longer needed in the future.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.

    Comment


    • #3
      I want to block access to the forum period to anyone who does not have a username and PW, which is why I am PW protecting the entire forums folder.

      Comment


      • #4
        The only thing I can suggest is to deny access via permissions to all usergroups except the ones that should have access.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API - Full / Mobile
        Vote for your favorite feature requests and the bugs you want to see fixed.

        Comment


        • #5
          Forgive me if I am just contributing something you already know or is useless, but I made a private installation using htaccess a while back and used what was in our manual at http://www.vbulletin.com/docs/html/upgrade_testsite

          It talks about htaccess at Step 3 - Files
          -- *Admin Settable Paid Subscription Reminder Timeframe*
          -- Ads available for the modules globally
          -- Global modules
          -- Add Admin ability to auto-subscribe users to specific channel(s)

          Comment


          • #6
            Right: "You will need to protect this directory from the general public. The most common way to do this is by a combination of .htaccess and .htpasswd files." ---- as noted I have done that. The issue is that for some reason this method creates a need for having to input the username / PW twice to gain entry.

            Comment


            • #7
              I think the second one is triggered by one of the resources/requests on the page. ​​​Open the Network tab in the browser dev tools to see the requests. When the second prompt appears, check what the last request is.

              GIPHY for vB5 AutoLinker Auto-Create Flag Report Topic Social Icons in Postbit Clear Cache Cron DragDrop Upload Topic AJAX AutoUpdate Custom Avatars Selector Stop Links in Posts...and more!

              Comment


              • #8
                When the second pull down Authentication Required window appears (or the first, for that matter), you have not yet "landed" on the page so there isn't a way that I am aware to view or access anything from the page.

                You go to the URL that corresponds to the PW protected directory, get this, and enter the correct username and password:
                Click image for larger version  Name:	AuthenticationReq1.jpg Views:	1 Size:	88.0 KB ID:	4375102


                Then, even though you have entered the correct username and PW, you get this second almost, but not quite identical request:
                Click image for larger version  Name:	AuthenticationReq2.jpg Views:	1 Size:	98.2 KB ID:	4375103



                and then after submitting the correct, same username and password this second time, it lets you in. It just doesn't want to let you in on the first correct entry of username and password.


                ALSO, if you enter the correct username and PW the FIRST time (only first time), and then enter NOTHING the second round, and just keep hitting Cancel, eventually you wind up in the forum, somewhat, without the CSS in play, and it looks like this:

                Click image for larger version  Name:	KForums_noCSS.jpg Views:	1 Size:	114.9 KB ID:	4375104



                Now, if you enter nothing at all, EVER (not first, not ever) and click cancel then you'll just end up here:

                Click image for larger version  Name:	Unauthorized_noEntry.jpg Views:	1 Size:	47.7 KB ID:	4375105
                Last edited by MDawg; Fri 4th Aug '17, 3:51pm.

                Comment


                • #9
                  Open the dev tools (F12) and then click Network tab before loading the page. If Firefox doesn't allow you to do that, then use Chrome

                  GIPHY for vB5 AutoLinker Auto-Create Flag Report Topic Social Icons in Postbit Clear Cache Cron DragDrop Upload Topic AJAX AutoUpdate Custom Avatars Selector Stop Links in Posts...and more!

                  Comment


                  • #10
                    My guess is the second time is authentication for the CSS URL requests based on what you said that the layout is broken when not entering on the second prompt

                    GIPHY for vB5 AutoLinker Auto-Create Flag Report Topic Social Icons in Postbit Clear Cache Cron DragDrop Upload Topic AJAX AutoUpdate Custom Avatars Selector Stop Links in Posts...and more!

                    Comment


                    • #11
                      With Chrome I am able to access Developer Tools, but can't click within it to access Network.
                      Click image for larger version  Name:	DevTools.jpg Views:	1 Size:	218.0 KB ID:	4375113

                      As long as that Authorization Required window remains up the browser is more or less locked from doing much other than entering the username or password into that window.

                      However once I enter some data and get as far as the lacking CSS version of the website (by entering correct username/password into first window, and then just hitting cancel on the second), I see this:

                      Click image for larger version  Name:	CSS_lacking_network.jpg Views:	1 Size:	247.8 KB ID:	4375114

                      Comment


                      • Glenn Vergara
                        Glenn Vergara commented
                        Editing a comment
                        I was right. The second prompt is for the css. You can see 401 unauthorized error code for css.php requests

                      • Glenn Vergara
                        Glenn Vergara commented
                        Editing a comment
                        Actually not just for css but I think for all subdirectories.

                    • #12
                      Well, given that there is nothing in the directory (folder) but vbulletin, how best to PW protect the entire folder then without this twice entry of username/password?

                      Comment


                      • #13
                        Are you choosing to save the password? I've done this many times, including for VB 5.x but I always choose to save the password to the browser.

                        Comment


                        • #14
                          This issue - having to enter the password twice, isn't so much an issue for me today, but I want to use this PW protection feature for a live forum elsewhere and in that case if every newbie who goes to the PW protected forum has to enter the PW twice, will be discouraged from even trying to enter.

                          Comment


                          • #15
                            Originally posted by MDawg View Post
                            This issue - having to enter the password twice, isn't so much an issue for me today, but I want to use this PW protection feature for a live forum elsewhere and in that case if every newbie who goes to the PW protected forum has to enter the PW twice, will be discouraged from even trying to enter.
                            So is that mean you're net having the browser save the password?

                            Comment

                            Related Topics

                            Collapse

                            Working...
                            X