Whether you're a college professor wishing to grant students access to test results, or a research firm seeking to provide paying subscribers access to custom reports, you'll need to devise some way for your users to identify themselves in order to gain access to the restricted content. By identifying themselves, the users authenticate their identities. They often accomplish this authentication by providing a username and password, for which the college professor could provide the entire class with a single authentication combination. In other cases, however, you should grant a unique username and password to each subscriber.
In this article I'll show you how to implement both of these authentication approaches using nothing more than the Apache Web Server's native capabilities. The first approach can be implemented in mere minutes using a text file and a few command-line calls. The second approach is a tad more involved, requiring a bit of additional server configuration and a MySQL database, although you'll gain some additional flexibility along the way.
Before we begin, keep in mind that while you can indeed use these approaches to restrict access to a certain part of your website, they do not protect the transmission of the username and password from the client's computer to the server! Because the credentials are transmitted in plaintext, a savvy attacker could capture the information as it's passed over the network, thereby allowing the attacker to masquerade as an authorized user. To ensure maximum security, you should configure your server to use an SSL certificate, a task that although fairly easy to accomplish is out of the scope of this article.
Storing Credentials in a Text File
Apache has long supported a fairly simple authentication solution involving storing a username and password within a text file, which resides within the directory you'd like to protect. This text file is named
.htpasswd, and its contents generally look like this:
You'll create this file and add user accounts to it using a command-line utility appropriately named
htpasswd. To password-protect a particular directory within your website, navigate to that directory via the command line and execute the following command:
%>htpasswd -c .htpasswd jason
This command accomplishes two important tasks: It creates the file and then creates a new user named
jason. When you execute the command you'll be prompted to provide and confirm a password for user
.htpasswd file and user are created, you're free to add other users by executing the same command but this time omitting the
-c option and providing a different username. For instance, to add another user named
susie you would execute the following command and again provide and confirm Susie's password:
%>htpasswd .htpasswd susie
.htpasswd file isn't enough to protect the directory. You'll also need to modify Apache's configuration to recognize the
.htpasswd file. Thankfully these configuration changes can be managed locally, meaning you won't need to modify Apache's
httpd.conf file in order to effect these changes -- something that wouldn't be possible in most hosting environments. Instead, you'll use a file named
.htaccess, which can be used to configure Apache on a per-directory basis. Although the
.htaccess file can be used to perform many tasks, for the purposes of authentication you'll place it in the same directory as your
.htpasswd file, adding the following lines to it:
AuthName "Restricted Content" AuthType Basic AuthUserFile /var/www/wjgilmore.com/members/.htpasswd Require valid-user
When saved, navigating to the directory will cause Apache to verify whether the user has already provided valid credentials. If so, the user is granted access to the directory. If not, the user is prompted to provide authentication credentials using an interface similar to that shown in Figure 1.