开发者

Where to place .htpasswd generated by PHP?

开发者 https://www.devze.com 2023-01-09 03:43 出处:网络
I am creating a PHP based web application which requires simple authentication to use. The application is made to be installed on a web server and used only be the owner of the web hosting/server, so

I am creating a PHP based web application which requires simple authentication to use. The application is made to be installed on a web server and used only be the owner of the web hosting/server, so there will only be one user and password. I figured there was no point in creating a complicated login system. I would just create a GUI to generate .htaccess and .htpasswd files to use Apache's authentication. The idea behind it was that it was supposed to simple, however it is turning into more of a job than I anticipated. I realized I have to place the .htpasswd file somewhere secure, meaning not in a web accessible directory. The problem is that web servers often have different filesystems and permissions, so where can I place it where it will be safe? I was able to create a directory with "740" permissions, which should be secure, from what I can tell. However, this is inconvenient. The application really should be limited to one folder, and if necessary a stray .htpasswd file. I would love to place the .htpasswd in the application folder, but I believe that is not possible if it is secured by the .htaccess file, when I tried it seemed to cause server errors. If anybody has a solution to that or a be开发者_StackOverflowtter place to put the .htpasswd file it would be greatly appreciated!


By default apache should be configured not to serve any .ht* files by this rule:

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

So it should be secure to place this file wherever you want.

If you are encountering server errors check for mod_auth if it is compiled/enabled in apache installation and if your virtual host/webroot has AllowOverride AuthConfig

0

精彩评论

暂无评论...
验证码 换一张
取 消