wyUpdate.exe and .htaccess

I am trying to run wyUpdate.exe on a folder that is protected using a password and username with .htaccess. I keep getting an unauthorized error.

Error trying to save file: Error downloading "http://username:password@www.mysite.com/test/wyserver.wys": The remote server returned an error: (401) Unauthorized.

I can't find any info on this, but I know the url works in firefox just fine, but won't when I try it wyUpdate.exe. Please help. Thanks.

I got this working using the ftp site and password, but it would be nice to not have to do it this way. I would rather use the http:// and the password and username in the .htaccess file.

ftp://ftp_user:ftp_pass@mysite.com/public_html/test/%file% 'This works

http://htaccess_user:htaccess_pass@www.mysite.com/test/%file% 'This does not work

I would still like to no if I can do it as in my question above? Thanks.

Why are you password protecting your updates folder?

Well because...

My boss wants it that way.

So just anyone can't go to the link and download our files.

Only the updater should have access to the files in the directory.

If I don't protect it then a customer could go there and get files they don't have permission to get. My main program has a lot of various programs that are unlocked according to what the user pays for as well as firmware updates, etc.

I am using the trial right now and I suppose I could just use the ftp address, but I would rather not.

Do you not allow the update directory to be password protected?

The trouble is that even if we did support .htaccess Authentication (we don't) and the specification for this authentication was in the form http://user:pass@site.com (it's not) this still wouldn't be the right way to go about protecting files.

The first reason is that the password would be stored in the "client.wyc" file. So, yes - your updates would be password protected, but everyone would have the password. If you gave your customers the password to manually type in then the password would be common knowledge, thus again everyone would have the password.

Password protecting the updates isn't a viable solution.

Possible solution #1

If you're dealing with a limited customer base (i.e. less than 200 users) then it might be better to authorize user by IP address. It looks something like this in the .htaccess file:

deny all;allow X.X.X.X;allow Y.Y.Y.Y;allow Z.Z.Z.Z;...etc.

Possible solution #2 (best solution)

Add the update-subscription checking directly to your app's code. That is, if the user is not allowed to update to the latest version past, say, May 1st, and they upgrade anyway - have an interface that requires them buy a new subscription license before they can continue to the latest version.

Possible solution #3 (worst solution)

Alter the wyUpdate source code to add either .htaccess authentication support, or add proprietary protection.