Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
.htpasswd
#1
is it possible to add another user/password to my already configured .htpasswd file ?
Reply
#2

Yup.

 



Code:
htpasswd .htpwd myUserName




then it'll prompt for the password. Alternatively, use the -b option to specify both username and pass:

 



Code:
htpasswd -b .htpwd myUserName newPassword




 

Note - this presumes that your password file is ".htpwd" - just pop the relevant name in there.

 

Lastly, don't forget that Apache needs to be able to read this file to allow/deny users. I've had people set permissions to 600 and wonder why it doesn't work. Don't use 666 or 777 - 644 should be sufficient. For tighter security, set the group to the apache services account group (www-data or so) then set permissions to 640.

 

Go for it! (also, don't forget "tail -f" on your apache logfiles to show login/out information and diagnose issues).

 

nb: a new addition to the htpass file shouldn't require a restart of apache (nor a reboot) but you probably knew that anyway...

Reply
#3
thanks Dave, that worked great :)
Reply
#4

Sound!

 

nb: you probably know this, but htaccess authentication is not a fantastically secure method - even if you're using https, the username/pass combo is still sent as part of the URL (https://username:password@mysite.com/securearea) so those credentials could be sniffed out.

Reply
#5
i didn't know that, ok so what's a better way and is it hard to setup ?
Reply
#6

Firstly, if you're passing authentication credentials, they should be sent as POST query variables over https. This forum does it during login - pops up a login form for a user to enter credentials.

 

Successful login usually results in the client receiving a cookie containing some obfuscated information. The contents of these are read for each page request and compared against a lookup table that matches the cookie contents to a username, verifying the identity of the user. It's a standard authentication mechanism used by many sites.

 

I've hacked up some module that compares the identity and rank of a forum member to see if they have access to further directories - reusing forum credentials. The best part about that was that the admins could create a specific rank or privilege and I'd just check against that to permit access.

 

Note that all of this is for much tighter security. I run a site where entry is permitted against their static IP address or using a simple username/pass combo encoded in the page URL. It's not super-secret and users may give away their credentials, but it means I can track leaks back to specific individuals if it occurs.

 

I suppose the question is: just how secure do you want to make it?

Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)