User Authentication With .htaccess and .htpasswd
If you want to restrict access to any part of your website, you can require that a username and password be given before access is granted...
There are two different ways to do this:
- Using the basic security that's built into the HTTP protocol.
- Using a custom program or script embedded in your web pages.
HTTP Security.
This method is fairly simple to set up and provides the kind of basic login you'd expect: When someone tries to access a protected directory, the standard dialog box appears requesting a username / password. Once the login data is supplied, the page is loaded.
There are two files you need to set up in your webhosting account: .htaccess and .htpasswd. You can often create/access these files via your webhosting 'control panel' if you have one. Otherwise you can create the files yourself and upload them etc.
The .htaccess file is located in the directory you want to protect. It defines what kind of security you want to apply to the directory. It should contain the following data:
AuthUserFile /home/yourname/.htpasswd
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
require valid-user
You can cut and paste the above. The lines mean this:
AuthUserFile /home/yourname/.htpasswd. | Location of the username/password file |
AuthGroupFile /dev/null | We're using no group access file. You can if you want, see the man pages for .htaccess. |
AuthName "Private" | Name of the protected area. |
AuthType Basic | Authentication Type - always 'basic'. (This caters for future extensions.) |
require valid-user | Access requires a valid login. |
The .htpasswd file should be located where you specified it above. A good place is your home directory. A bad place is any globally visible directory. It should contain the following:
username1:password1
username2:password2
...
Where password is in an encrypted form... You can encrypt your passwords using Apache's htaccess tool (see the man page for htaccess), or an online tool such as This Password Generator.
TIP: If you want to automate your members only website, but keep it really simple, you can just send every user the same username and password. This means you don't have to change the contents of these two files automatically as new people join.
If you want each user to have a unique name and password, you'd need to add some extra code to:
- Generate a password automatically (easy)
- Change the .htaccess and .htpasswd files automatically.
This is possible, but not very secure, and doesn't allow user tracking.
|
When any script on your machine is triggered by an external source (i.e. PayPal's ordering system), as far as Unix is concerned - it's being run by an unknown user. These scripts must be globally executable...
Normally your .htaccess and .htpasswd files are accessible only to their owner - i.e. you. To change them, you'd have to login via telnet (or control panel). In order to make these files accessible to a script, you'd have to allow them to be written to by an unknown user. Clearly not very secure.
The PHP script-based security solution below bypasses these problems.
Here's a good tutorial on .htaccess... and another from ApacheWeek, which is a bit more in-depth.
Script Based Security
This is a more complicated method of providing security, but it's much more flexible.
A cool PHP security suite is part of this course and is explained in detail in the php security script page.
You can download all the scripts from the free scripts download page.
| 
