.htpasswd

[anyweb]

is it possible to add another user/password to my already configured .htpasswd file ?

[Dungeon-Dave]

Yup.

 

Code:

htpasswd .htpwd myUserName

then it'll prompt for the password. Alternatively, use the -b option to specify both username and pass:

 

Code:

htpasswd -b .htpwd myUserName newPassword

 

Note - this presumes that your password file is ".htpwd" - just pop the relevant name in there.

 

Lastly, don't forget that Apache needs to be able to read this file to allow/deny users. I've had people set permissions to 600 and wonder why it doesn't work. Don't use 666 or 777 - 644 should be sufficient. For tighter security, set the group to the apache services account group (www-data or so) then set permissions to 640.

 

Go for it! (also, don't forget "tail -f" on your apache logfiles to show login/out information and diagnose issues).

 

nb: a new addition to the htpass file shouldn't require a restart of apache (nor a reboot) but you probably knew that anyway...

[anyweb]

thanks Dave, that worked great :)

[Dungeon-Dave]

Sound!

 

nb: you probably know this, but htaccess authentication is not a fantastically secure method - even if you're using https, the username/pass combo is still sent as part of the URL (https://username:password@mysite.com/securearea) so those credentials could be sniffed out.

[anyweb]

i didn't know that, ok so what's a better way and is it hard to setup ?

[Dungeon-Dave]

Firstly, if you're passing authentication credentials, they should be sent as POST query variables over https. This forum does it during login - pops up a login form for a user to enter credentials.

 

Successful login usually results in the client receiving a cookie containing some obfuscated information. The contents of these are read for each page request and compared against a lookup table that matches the cookie contents to a username, verifying the identity of the user. It's a standard authentication mechanism used by many sites.

 

I've hacked up some module that compares the identity and rank of a forum member to see if they have access to further directories - reusing forum credentials. The best part about that was that the admins could create a specific rank or privilege and I'd just check against that to permit access.

 

Note that all of this is for much tighter security. I run a site where entry is permitted against their static IP address or using a simple username/pass combo encoded in the page URL. It's not super-secret and users may give away their credentials, but it means I can track leaks back to specific individuals if it occurs.

 

I suppose the question is: just how secure do you want to make it?