httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason L Michael" <>
Subject [users@httpd] Password protect sections of website
Date Tue, 04 Feb 2003 15:05:19 GMT

I'm using PHP and MySQL, running on Apache.  For sections of the site where
I want to restrict access, I'm using the htaccess functions of Apache, which
works beautifully.  As I understand it, I just put sensitive stuff in a
special folder, call it "guarded", and then whenever I link to anything in
"guarded", the user's browser presents them with a login/password dialog to
gain access.  Since these values are stored in a flatfile outside the reach
of the browser (not anywhere in the htdocs path), I can assume that gaining
access to this section of my site without being given a password would
require compromising Apache, and more specifically, the box Apache is
running on.

Am I correct in my assumption?

Hard coding login/password pairs into the .htpassword file seems to be a bit
primitive, and since gaining access to any set would grant you access to
anything in the protected folder, is this really such a good idea?  Should
htaccess be reserved for "Admins" and another method be used for "trusted
users"?  I have tried using PHP, with a MySQL query for login/password
(encrypted) and an HTTP header (WWW_Authenticate), but I don't think this is
so secure, as it simply passes the return values of the dialog to the SQL
query, and one could then use this interface to hack the SQL query and gain
access to the SQL database.

What other methods for securing sections of your website have you used with
success?  Which methods are the most secure?  Is granting a login/password
to "trusted users" via htaccess such a good idea?  Do webmasters normally
write some kind of script to edit the .htpassword file?

Thanks in advance,

Jason L Michael
105A Maple
Arlington TX, 76011

West of House
You are standing in an open field west of a white house, with a boarded
There is a small mailbox here.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message