0

I am creating a PHP based web application which requires simple authentication to use. The application is made to be installed on a web server and used only be the owner of the web hosting/server, so there will only be one user and password. I figured there was no point in creating a complicated login system. I would just create a GUI to generate .htaccess and .htpasswd files to use Apache's authentication. The idea behind it was that it was supposed to simple, however it is turning into more of a job than I anticipated. I realized I have to place the .htpasswd file somewhere secure, meaning not in a web accessible directory. The problem is that web servers often have different filesystems and permissions, so where can I place it where it will be safe? I was able to create a directory with "740" permissions, which should be secure, from what I can tell. However, this is inconvenient. The application really should be limited to one folder, and if necessary a stray .htpasswd file. I would love to place the .htpasswd in the application folder, but I believe that is not possible if it is secured by the .htaccess file, when I tried it seemed to cause server errors. If anybody has a solution to that or a better place to put the .htpasswd file it would be greatly appreciated!

Ben Kulbertis
  • 1,713
  • 4
  • 17
  • 30
  • Take a look at http://stackoverflow.com/questions/747096/cakephp-password-protection-with-htaccess-and-htpasswd-howto. – George Marian Jul 26 '10 at 21:27
  • I am aware of how htaccess and htpasswd function, and how to create them. I am simply looking for suggestions as to where I can place the .htpasswd file that is cross-platform compatible and secure. – Ben Kulbertis Jul 26 '10 at 21:36

1 Answers1

2

By default apache should be configured not to serve any .ht* files by this rule:

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

So it should be secure to place this file wherever you want.

If you are encountering server errors check for mod_auth if it is compiled/enabled in apache installation and if your virtual host/webroot has AllowOverride AuthConfig

dev-null-dweller
  • 29,274
  • 3
  • 65
  • 85
  • Thanks, I was unaware of this. However about the errors, I am only receiving them if I place the .htpasswd file inside the .htaccess protected folder. If I enable `mod_auth` and set `AllowOverride AuthConfig`, will this allow me to do this without errors? – Ben Kulbertis Jul 26 '10 at 21:53
  • So when you place .htpasswd somewhere else (and specify this path in htaccess) it works fine (you have to login to view the page)? – dev-null-dweller Jul 26 '10 at 22:15
  • I had not tested it yet, but I assumed so, however it seems that if I enter in the correct user and password it does not validate and brings the log-in box up once again. My error log had this to say: `reason: require directives present and no Authoritative handler.` Is this the error you were referring to? – Ben Kulbertis Jul 26 '10 at 22:31