faqts : Computers : Programming : Languages : PHP : Installation and Setup : CGI

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

12 of 20 people (60%) answered Yes
Recently 4 of 10 people (40%) answered Yes

Entry

Can I use HTTP Authentication with CGI PHP?
How can I set up HTTP Authentication using PHP CGI?

Jun 27th, 1999 16:45
Nathan Wallace, Richard Lynch
 


I dunno if it's "HTTP authentication", but if your ISP is running PHP as
a CGI and has enabled .htaccess for you, you can *definitely* get that
nifty popup window thingy using .htaccess and various Apache
incantations.

I don't think you can send the headers from PHP and maybe you can't get
the $AUTH_USER (don't care: haven't tried) inside PHP, but you'll limit
who can access the directory just fine.

Specifically, *one* way to do it is:

#1 create a .htpasswd file
   I forget if it has to go in your shell home dir or your cgi-bin, but
   it should *NOT* be in your web tree.
   Use man htpasswd and www.apache.org to get all the gory details but
   the bare minimum you need to do this is:

   cd       (or was it cd /path/to/your/cgi-bin  ?...)
   htpasswd -c .htpasswd <username>
   {Password:} <password>
   {Password:} <password>

   where <> means you fill it in and {} means Linux prompts you.
   You'll need to repeat all but the cd *WITHOUT* the -c for each
   additional user you want to authorize.  -c is for create.  If you 
   keep doing -c, you'll keep recreating the file and putting in one (1) 
   new authorized user.
   Don't do that.
   Technically, you can name the file anything you want, not just
   .htpasswd, but you might as well be a conformist.

#2 Create a .htaccess file in the directory you want protected with this
in it:

   AuthAuthoritative Off
   AuthName "Admin"
   AuthType Basic
   AuthUserFile /full/path/to/the/htpassswd/file/created/above/.htpasswd
   require valid-user

   I forget if "Admin" is just something I made up as a Realm or it's 
   from a preset list of Apache values for AuthName.  Go read the docs 
   at http://www.apache.org if you care.  Or even if you don't.  You 
   shouldn't be doing security stuff like this just on my say-so anyway. 
   Go read the docs.

I read the http://www.apache.org docs:  I did this:  It works.
I don't remember for sure exactly what all that crap means, so it's up
to you to look it up.  And I'll be damned if I know why I seem to think
the .htpasswd file needs to be in cgi-bin, because that just plain makes
no sense at all.  Any cracker can get to that, can't they?  Oh well, I'm
only trying to raise the bar a little anyway.  Ain't got nothing worth
stealing protected by AuthType Basic, that's for sure.

I'm sure you can get more spiffy stuff with database interaction for the
usernames and passwords via mod_auth* modules or something and increased
security for the transmission of passwords with better AuthType
settings, if you're smarter than I am and/or have the time to wade
through the docs at http://www.apache.org (they're actually quite
well-organized), but for a few users to be able to access a directory
this way, this will work fine.  You could maybe even script PHP to add
users dynamically to this if you can't handle reading Apache docs and
you have the time to do write/test/debug the PHP to do it...  Nah, go
read www.apache.org and figure out how to make it work with a database,
and then post it.

But for goodness' sake don't rely on this (at least not on my say-so)
for something critical like credit cards.  IIRC AuthType Basic means the
passwords are transmitted in the clear, and I'm *not* an ecommerce
security expert by any stretch of the imagination.

Whew.  I'd make this shorter if I actually knew what I was talking
about. :-^