Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Apache's .htpasswd files consist of user/password pairs, one pair per line, eg:

username1:unixcryptpassword username2:unixcryptpassword

The Apache::Htpasswd module provides the methods you will need to manage user accounts within .htpasswd (or other password files with the same format)- add and remove users, set & reset passwords. The module provides only an object orientated interface. For a more complete user management solution you may want to look at HTTPD::UserAdmin but for customised user management and integration with your site Apache::Htpasswd is a great tool.

Drawbacks:There is no way to list all the users in a passwd file. There is no method to find out if a specific user has an account. The fetchInfo() method can be bent to this purpose, but it returns "0" for an invalid account, otherwsise any info that is stored for that user or undef, to test for a user I wrapped it in a sub like this-

sub is_user { my $user = shift || return; my $info = $htpasswd->fetchInfo($user); return 0 if ($info eq '0'); return 1; }

Sample code

Here is a sample CGI script to allow a user to change their own password. It requires the user to know their own password first. This script should be run from within a .htaccess protected directory! It uses the $ENV{REMOTE_USER} variable which can be manipulated by an "attacker" however they would still then need to know the existing password for any user they specify.

#!/usr/bin/perl -wT # # BEGIN { # make the environment safe delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; $ENV{PATH} = ""; } use strict; use CGI; use CGI::Carp qw(fatalsToBrowser); use Apache::Htpasswd; my $cgi = new CGI; $|++; my %settings = (title => "htpasswd change page", dir => "/home/user/public_html/cgi-bin", htpasswd => ".htpasswd", fields => [ "old_passwd", "new_passwd", "new_passwd2 +" ], ); $settings{user} = $ENV{REMOTE_USER}; my $htpasswd = new Apache::Htpasswd("$settings{dir}/$settings{htpasswd +}"); print_page_headers($settings{title}); process_form(); print_form(); exit; sub process_form { return unless ( $cgi->param('change') ); my %data; for my $field ($cgi->param()){ if ( scalar grep /^\Q$field\E$/, @{$settings{fields}} ){ # its a field we know about my $tmp = substr($cgi->param($field), 0, 50); $tmp = lc($tmp) if ( $field eq "change_user_name" ); $data{$field} = $tmp || ''; } } if ( !$data{old_passwd} or !$data{new_passwd} or !$data{new_passwd2} + ){ print $cgi->p("You must fill out all fields!"); return; } if ( ! $htpasswd->htCheckPassword($settings{user}, $data{old_passwd} +) ){ print $cgi->p("Old password incorrect or invalid user name"); return; } if ( $data{new_passwd} eq $data{old_passwd} ){ print $cgi->p("New password must be different to old password!"); return; } if ( $data{new_passwd} ne $data{new_passwd2} ){ print $cgi->p("New passwords don't match!"); return; } if ( $data{new_passwd} !~ /^\S{6,8}$/ or $data{new_passwd} !~ /[^a-z +A-Z]+/ ){ print $cgi->p("New password must be 6-8 chars and contain at least + one number or punctuation character"); return; } $htpasswd->htpasswd($settings{user}, $data{new_passwd}, $data{old_pa +sswd}); if ( my $error = $htpasswd->error() ){ print $cgi->p("There was en error: [$error]"); } else { print $cgi->p("Password for $settings{user} was succesfully change +d"); } } sub print_page_headers { my $title = shift || "Page without a title"; print $cgi->header(); print $cgi->start_html($title); print $cgi->h2($title); print $cgi->hr(); return; } sub print_form { for (@{$settings{fields}} ){ $cgi->delete($_); } print $cgi->start_form(); print $cgi->b("Password Change for $settings{user}"); print $cgi->table({-border=>0}, $cgi->Tr( $cgi->td("Enter your ", $cgi->strong("old"), " password"), $cgi->td($cgi->password_field( -name => 'old_passwd', -value => '', -size => 10, -maxlength => 8))), $cgi->Tr($cgi->td("Enter your ", $cgi->strong("new"), " password"), $cgi->td($cgi->password_field( -name => 'new_passwd', -value => '', -size => 10, -maxlength => 10))), $cgi->Tr($cgi->td("Re-Enter your new password"), $cgi->td($cgi->password_field( -name => 'new_passwd2', -value => '', -size => 10, -maxlength => 10)), $cgi->td($cgi->submit( -name => 'change', -value => 'Change Password'))), ); print $cgi->end_form(), $cgi->hr(); print $cgi->end_html(); print "\n"; }

To prohibit downloading of your .htpasswd & associated files your .htaccess should look something like this:

AuthType Basic AuthName "Authorisation Required" AuthUserFile /path/to/.htpasswd <files ~ "^\.ht"> Order allow,deny Deny from all </files> <Limit GET POST> require user username </Limit>


In reply to Apache::Htpasswd by greenFox

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (2)
As of 2021-12-01 06:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?