1

I have a website that uses basic authentication as described on this webpage. Each of the computers I manage have the password saved in their browser.

There is only one username and password for this. After someone logs in to the site this way, they are presented with their individual username and password prompt as part of the web page. The purpose of the initial username/password is to protect the site's externally accessible sections.

So far, when we've had to change this password, I've manually gone to each computer and updated the saved password.

I'm writing a startup script to configure other aspects of these systems so that I can maintain them easier. I'd like to be able to update the saved password via this script.

The operating system running on these machines is Windows XP SP3 and the browsers they're using to access this site are IE8 and IE9.

How can I update the saved basic authentication information for a website via a script?

Kalamane
  • 281
  • 1
  • 4
  • 14
  • Typically, you can use a remember me feature that will automatically log the user in if they have not recently logged out and is using the same computer. Within your site, you can program the text fields for the username and password to not be a part of autofill which would override their browser saving the username and password. This would give the convenience of not having to always type in their username and password to your website. You could even build in a function to expire certain saved sessions that would "kick out" someone who is currently logged in. – kobaltz Mar 20 '12 at 16:23
  • @kobaltz Sorry, I left out an important part of the question. There's only one main password for the site. See the updated question. – Kalamane Mar 20 '12 at 16:35
  • So are you using something like an .htaccess file to protect the directory? – kobaltz Mar 20 '12 at 16:40
  • Yes, that's right. – Kalamane Mar 20 '12 at 16:42
  • Is the site accessible externally or is it an intranet site? – kobaltz Mar 20 '12 at 16:44
  • It's accessible externally. – Kalamane May 10 '12 at 19:50

3 Answers3

2

Since you're trying to restrict access to Domain Users to an intranet website, wouldn't it be easier to restrict access to the directory via your Active Directory Controller instead of using a static htaccess file? This way, you can allow certain users to access the website directory where as other users would be denied by default. Change the Everyone permission to deny access by default and then add in your allowed users. This way you do not need to manage any kinds of passwords. When a user is terminated or no longer allowed access to the site, remove them from the Security list. The below example is how I would restrict the Resources folder to only an allowed group on IIS.

enter image description here

kobaltz
  • 161
  • 8
1

Why not consider using a password manager on the systems. If you were to use LastPass as an example you could update the password in one location and it will sync across to all clients?

iambryan
  • 151
  • 3
0

Another option is to use domain and server isolation and restrict access to only machines or users that are in a group containing those accounts. This would have an added benefit of helping to ensure your entire windows environment is secure. I am unaware of a way to programmatically save passwords, I believe that it's only possible to retrieve them programmatically.

Jim B
  • 23,938
  • 4
  • 35
  • 58