Add Your Resource Instantly
Member Registration
Vendor Registration

Vendor Login
Perl Tutorials & Support
Search The Perlmasters Index
Contact The Webmaster
Custom CGI Programming
Advertising Opportunities
Website Monitoring Tools

cgi scripts in perl

 New (updated hourly):
Top Technology News

Can't find what you need?
Click here to request a custom quote



Keyword(s) Category

htaccess Password Protected Directories

authenticate.gif (1768 bytes)

What is per-directory authentication?

Authentication information is passed to the server by two types of configuration files.  These files relay specific instructions regarding how your webserver will send information to a client.  The two files are called the GLOBAL and PER-DIRECTORY configuration files.

The name of the per-directory configuration file is determined by the global configuration file (httpd.conf) and is by default set to .htaccess.  Only the per-directory file can be modified without root access.

The per-directory configuration file allows users to modify the web server configurations inside a particular directory on-the-fly.  This means that you can effectively set each and every directory on your webserver to behave as an independant server.  More commonly, .htaccess is simply used to restrict access to a given directory based on an authentication or PASSWORD (.htpasswd) file.

Note that the per-directory configuration file is read and parsed by the server on EACH access, allowing run-time re-configuration.  The global configuration file is only parsed on start-up or restart.  There is a speed penalty associated with .htaccess because of this, but this usually is not a major problem.

Security Issues

Basic HTTP Authentication sends the password over the network UNENCRYPTED but NOT AS PLAIN TEXT -- it is uuencoded.   Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet. 

This is basically about as secure as your typical telnet session.  If you feel safe logging into your web account then you should feel safe using .htaccess

Password Protected HTTP

Many times you will need to create password control files to restrict access to particular urls/directories on your webserver.  Password control files are used by your server, in combination with password files, to control access to the directories where your your web pages reside. Thus an .htaccess (Apache), ns.config (Enterprise) or dafauth.txt (NT) file in your admin directory will determine who has access to your administrative pages. Corresponding files in your members directory will determine who has access to your membership pages.

Thanks to the engineering of some bright minds we are now able to password protect HYPERTEXT TRANSFER PROTOCOL using these PASSWORD CONTROL FILES.  If you are in the biz of selling passwords like I am you already know this.  The way this works is a special ASCII (text) file is uploaded into the directory that you want to require a username and password to enter.  This file then informs the server to restrict access to valid members only.  Depending on what type of webserver you are using you will use different types of password control files.  These are just another TEXT file.  Create them in your favorite text editor and upload them to the directory you want to restrict. 

APACHE uses .htaccess

Enterprise uses ns.config

IIS3.0/4.0 uses dafauth.txt

Each file looks slightly different.

APACHE Password Control Files

The .htaccess files are used by your APACHE webserver, in combination with password files, to control access to the directories where your your web pages reside. The .htaccess file in your admin directory will determine who has access to your administrative pages. The .htaccess file in your members directory will determine who has access to your membership pages.  The general structure looks like this:

AuthUserFile /path/to/passwordfile

AuthGroupFile /dev/null

AuthName (any name)

AuthType Basic

<Limit GET POST>

order allow,deny

allow from all

require valid-user

</Limit>

Create an .htaccess file In your members directory using the example file htaccess. Note the first line of the file looks something like this:

AuthUserFile /path/to/admin

This line sets AuthUserFile to the path (location) of your password file.

The only thing you have to edit in an .htaccess file is LINE NUMBER ONE.  This line maps to the location of you PASSWORD FILE!  To enter this directory the user MUST have a username and password inside the password file.  Note that if you are locking down and ADMINISTRATIVE directory (i.e. admin) then you DON'T WANT YOUR NORMAL USERS TO GET IN!  That is why you create a SEPERATE .htaccess file for your admin directory like this:

AuthUserFile /path/to/admin/adminpassword

AuthGroupFile /dev/null

AuthName (any name)

AuthType Basic

<Limit GET POST>

order allow,deny

allow from all

require valid-user

</Limit>

 

ENTERPRISE USERS:  ns.config files look more like this... same concept with less lines of code

<Files mastergate/secured/*>

RequireAuth userfile=/path/to/passwordfile

realm="yourdomain.com" userlist=*

</Files>

All you have to do is map to the location of your password file same as with htaccess

NT USERS:  Creating dafauth.txt files

For this I will refer you to the AUTHORITY on DAF.  He created it and loves to hear from people like you!