I am creating a PHP based web application which requires simple authentication to use. The application is made to be installed on a web server and used only be the owner of the web hosting/server, so there will only be one user and password. I figured there was no point in creating a complicated login system. I would just create a GUI to generate .htaccess and .htpasswd files to use Apache's authentication. The idea behind it was that it was supposed to simple, however it is turning into more of a job than I anticipated. I realized I have to place the .htpasswd file somewhere secure, meaning not in a web accessible directory. The problem is that web servers often have different filesystems and permissions, so where can I place it where it will be safe? I was able to create a directory with "740" permissions, which should be secure, from what I can tell. However, this is inconvenient. The application really should be limited to one folder, and if necessary a stray .htpasswd file. I would love to place the .htpasswd in the application folder, but I believe that is not possible if it is secured by the .htaccess file, when I tried it seemed to cause server errors. If anybody has a solution to that or a better place to put the .htpasswd file it would be greatly appreciated!
By default apache should be configured not to serve any
.ht* files by this rule:
<FilesMatch "^\.ht"> Order allow,deny Deny from all Satisfy All </FilesMatch>
So it should be secure to place this file wherever you want.
If you are encountering server errors check for
mod_auth if it is compiled/enabled in apache installation and if your virtual host/webroot has
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki