Jump to content
Sign in to follow this  
anyweb

.htpasswd

Recommended Posts

is it possible to add another user/password to my already configured .htpasswd file ?

  • Like 1

Share this post


Link to post
Share on other sites

Yup.

 

htpasswd .htpwd myUserName

then it'll prompt for the password. Alternatively, use the -b option to specify both username and pass:

 

htpasswd -b .htpwd myUserName newPassword

 

Note - this presumes that your password file is ".htpwd" - just pop the relevant name in there.

 

Lastly, don't forget that Apache needs to be able to read this file to allow/deny users. I've had people set permissions to 600 and wonder why it doesn't work. Don't use 666 or 777 - 644 should be sufficient. For tighter security, set the group to the apache services account group (www-data or so) then set permissions to 640.

 

Go for it! (also, don't forget "tail -f" on your apache logfiles to show login/out information and diagnose issues).

 

nb: a new addition to the htpass file shouldn't require a restart of apache (nor a reboot) but you probably knew that anyway...

Share this post


Link to post
Share on other sites

thanks Dave, that worked great :)

Share this post


Link to post
Share on other sites

Sound!

 

nb: you probably know this, but htaccess authentication is not a fantastically secure method - even if you're using https, the username/pass combo is still sent as part of the URL (https://username:password@mysite.com/securearea) so those credentials could be sniffed out.

Share this post


Link to post
Share on other sites

i didn't know that, ok so what's a better way and is it hard to setup ?

Share this post


Link to post
Share on other sites

Firstly, if you're passing authentication credentials, they should be sent as POST query variables over https. This forum does it during login - pops up a login form for a user to enter credentials.

 

Successful login usually results in the client receiving a cookie containing some obfuscated information. The contents of these are read for each page request and compared against a lookup table that matches the cookie contents to a username, verifying the identity of the user. It's a standard authentication mechanism used by many sites.

 

I've hacked up some module that compares the identity and rank of a forum member to see if they have access to further directories - reusing forum credentials. The best part about that was that the admins could create a specific rank or privilege and I'd just check against that to permit access.

 

Note that all of this is for much tighter security. I run a site where entry is permitted against their static IP address or using a simple username/pass combo encoded in the page URL. It's not super-secret and users may give away their credentials, but it means I can track leaks back to specific individuals if it occurs.

 

I suppose the question is: just how secure do you want to make it?

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...