Linux-Noob Forums
.htpasswd - Printable Version

+- Linux-Noob Forums (
+-- Forum: Linux Server Administration (
+--- Forum: LAMP (
+--- Thread: .htpasswd (/thread-232.html)

.htpasswd - anyweb - 2012-01-07

is it possible to add another user/password to my already configured .htpasswd file ?

.htpasswd - Dungeon-Dave - 2012-01-08



htpasswd .htpwd myUserName

then it'll prompt for the password. Alternatively, use the -b option to specify both username and pass:


htpasswd -b .htpwd myUserName newPassword


Note - this presumes that your password file is ".htpwd" - just pop the relevant name in there.


Lastly, don't forget that Apache needs to be able to read this file to allow/deny users. I've had people set permissions to 600 and wonder why it doesn't work. Don't use 666 or 777 - 644 should be sufficient. For tighter security, set the group to the apache services account group (www-data or so) then set permissions to 640.


Go for it! (also, don't forget "tail -f" on your apache logfiles to show login/out information and diagnose issues).


nb: a new addition to the htpass file shouldn't require a restart of apache (nor a reboot) but you probably knew that anyway...

.htpasswd - anyweb - 2012-01-08

thanks Dave, that worked great :)

.htpasswd - Dungeon-Dave - 2012-01-08



nb: you probably know this, but htaccess authentication is not a fantastically secure method - even if you're using https, the username/pass combo is still sent as part of the URL ( so those credentials could be sniffed out.

.htpasswd - anyweb - 2012-01-10

i didn't know that, ok so what's a better way and is it hard to setup ?

.htpasswd - Dungeon-Dave - 2012-01-10

Firstly, if you're passing authentication credentials, they should be sent as POST query variables over https. This forum does it during login - pops up a login form for a user to enter credentials.


Successful login usually results in the client receiving a cookie containing some obfuscated information. The contents of these are read for each page request and compared against a lookup table that matches the cookie contents to a username, verifying the identity of the user. It's a standard authentication mechanism used by many sites.


I've hacked up some module that compares the identity and rank of a forum member to see if they have access to further directories - reusing forum credentials. The best part about that was that the admins could create a specific rank or privilege and I'd just check against that to permit access.


Note that all of this is for much tighter security. I run a site where entry is permitted against their static IP address or using a simple username/pass combo encoded in the page URL. It's not super-secret and users may give away their credentials, but it means I can track leaks back to specific individuals if it occurs.


I suppose the question is: just how secure do you want to make it?