Announcement

Collapse
No announcement yet.

Password protecting acatalog directory?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Password protecting acatalog directory?

    Hi,

    To my amazement I just discovered that while I need a password to refresh my website, no password is required to download orders. I was told by my ISP that I need to password protect the directory using htaccess. My question is will this stop the scripts from updating the acatalog directory if it is password protected?

    Thanks

    #2
    To download orders Actinic still uses the same FTP login credentials as it does to do an upload.

    I don't understand what you're referring to. when you say you don't need a password to download orders.

    Comment


      #3
      i dont think actinic will work with htaccess.

      i had a client protect acatalog with htaccess and then be unable to upload

      Comment


        #4
        why do you want to protect them, they are not much use to anyone. Unless your capturing credit card details?

        Comment


          #5
          I dont know about earlier versions and the old grey matter is not so good, but in v9 you cant open the .ord files

          Comment


            #6
            Originally posted by Darren B View Post
            I dont know about earlier versions and the old grey matter is not so good, but in v9 you cant open the .ord files
            The .ord files are encrypted.

            Comment


              #7
              Thanks Alan so i dont see why you need to password the acatalog directory

              Comment


                #8
                Hi again,

                1) What I mean by I don't need a password
                The orders on a different pc than the development so when I changed the development pc password, I tried an upload and it failed with the old password - which it should have. So I changed it to the new password and it worked.

                I expected similar results on the order pc except when I tried it with the old password, I received no error and I was able to download orders. I waited 1 day & tried again - same results. I then deleted the password in Actinic and I was still able to download orders.

                2) Yes these orders contain credit card details.

                Correct me if I'm wrong but anyone with my network settings could in theory download the orders. We all know that there are resourceful lads out there. So my ISP said that unless I password protect the directory (using .htaccess) the directory could be accessed. This could expalin why I've been getting the odd strange order. One thread I submitted a while back about getting the credit card in a confirmation email. It happened again last week when the card number was in the name field.

                Comment


                  #9
                  One thing I forgot to mention (to answer Jo) is that they also told me to create another FTP userid for that specific directory. I won't know if this works until I try.

                  Comment


                    #10
                    but the order is not unencrypted until it reaches the pc.

                    *mumbles PCI DSS*

                    Comment


                      #11
                      Without your installation of Actinic and your specific 128 bit encryption key then the order files are useless to anyone else. The encryption key is not part of the network settings - the network settings only contain the FTP passwords not the encryption key. You can see your encryption key by going to Housekeeping|Security.

                      At some stage you will have to stop downloading cc details to process offline. Use a payment provider to take the payments and you won't have these security risks.

                      IMO your greatest risk is that someone steals your pc.

                      Comment


                        #12
                        Yes I understand that it is encrypted until it reaches the PC. I just thought that a password was required, but now I know it isn't for downloads. It also doesn't explain the card number in the name field of the order.

                        Thanks for all of your replies.

                        Comment


                          #13
                          Originally posted by procheck View Post
                          It also doesn't explain the card number in the name field of the order.
                          That's almost certainly a PEBCAK issue. Never underestimate the ability of customers not to read the form fields correctly.

                          ** joins in general PCI type muttering**
                          Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

                          Comment


                            #14
                            Originally posted by procheck View Post
                            It also doesn't explain the card number in the name field of the order.
                            Oddly enough, I had an order with this problem the other day. Must be the same customer

                            Comment


                              #15
                              We had one as well, perhaps its the season of numpties. One of the sales guys asked if we really should be selling roofing materials to these people

                              Comment

                              Working...
                              X