tags:

views:

37

answers:

1
Q: 

Where to place .htpasswd generated by PHP?

I am creating a PHP based web application which requires simple authentication to use. The application is made to be installed on a web server and used only be the owner of the web hosting/server, so there will only be one user and password. I figured there was no point in creating a complicated login system. I would just create a GUI to generate .htaccess and .htpasswd files to use Apache's authentication. The idea behind it was that it was supposed to simple, however it is turning into more of a job than I anticipated. I realized I have to place the .htpasswd file somewhere secure, meaning not in a web accessible directory. The problem is that web servers often have different filesystems and permissions, so where can I place it where it will be safe? I was able to create a directory with "740" permissions, which should be secure, from what I can tell. However, this is inconvenient. The application really should be limited to one folder, and if necessary a stray .htpasswd file. I would love to place the .htpasswd in the application folder, but I believe that is not possible if it is secured by the .htaccess file, when I tried it seemed to cause server errors. If anybody has a solution to that or a better place to put the .htpasswd file it would be greatly appreciated!

+2  A: 

By default apache should be configured not to serve any .ht* files by this rule:

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

So it should be secure to place this file wherever you want.

If you are encountering server errors check for mod_auth if it is compiled/enabled in apache installation and if your virtual host/webroot has AllowOverride AuthConfig

dev-null-dweller  2010-07-26 21:47:19
Thanks, I was unaware of this. However about the errors, I am only receiving them if I place the .htpasswd file inside the .htaccess protected folder. If I enable `mod_auth` and set `AllowOverride AuthConfig`, will this allow me to do this without errors?
Ben  2010-07-26 21:53:22
So when you place .htpasswd somewhere else (and specify this path in htaccess) it works fine (you have to login to view the page)?
dev-null-dweller  2010-07-26 22:15:31
I had not tested it yet, but I assumed so, however it seems that if I enter in the correct user and password it does not validate and brings the log-in box up once again. My error log had this to say:`reason: require directives present and no Authoritative handler.` Is this the error you were referring to?
Ben  2010-07-26 22:31:15
With this error you have to enable `mod_authz_user` module
dev-null-dweller  2010-07-26 22:59:51

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases