I am creating a PHP based web application which requires simple authentication to use. The application is made to be installed on a web server and used only be the owner of the web hosting/server, so there will only be one user and password. I figured there was no point in creating a complicated login system. I would just create a GUI to generate .htaccess and .htpasswd files to use Apache's authentication. The idea behind it was that it was supposed to simple, however it is turning into more of a job than I anticipated. I realized I have to place the .htpasswd file somewhere secure, meaning not in a web accessible directory. The problem is that web servers often have different filesystems and permissions, so where can I place it where it will be safe? I was able to create a directory with "740" permissions, which should be secure, from what I can tell. However, this is inconvenient. The application really should be limited to one folder, and if necessary a stray .htpasswd file. I would love to place the .htpasswd in the application folder, but I believe that is not possible if it is secured by the .htaccess file, when I tried it seemed to cause server errors. If anybody has a solution to that or a better place to put the .htpasswd file it would be greatly appreciated!

Comments

Take a look at stackoverflow.com/questions/747096/….

Written by George Marian

I am aware of how htaccess and htpasswd function, and how to create them. I am simply looking for suggestions as to where I can place the .htpasswd file that is cross-platform compatible and secure.

Written by Ben Kulbertis

Accepted Answer

By default apache should be configured not to serve any .ht* files by this rule:

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

So it should be secure to place this file wherever you want.

If you are encountering server errors check for mod_auth if it is compiled/enabled in apache installation and if your virtual host/webroot has AllowOverride AuthConfig

Written by dev-null-dweller
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki