Integrating htpasswd and CGI

George_Sherston has asked for the wisdom of the Perl Monks concerning the following question:

I have a multi-user site where users can upload info to their personal areas, and I want to be sure enough that they can't upload stuff to, or otherwise mess with, each other's areas.

Since my server is Apache, my plan is to use htpasswd to protect the user areas. So when they log on to the site they enter their htpasswd user and pwd, and then I use $ENV{REMOTE_USER} to track who's who and allow the right people the right access.

I like this because htpasswd handles all the encrypting for me. I can see one pitfall I have to guard against - making sure that new users don't take old users' user names; but that need not present a problem. But before I go ahead, I should be very grateful for any words of wisdom / other pitfalls.

And I also have a specific question, for which I crave your indulgence, namely is it possible to send pwd / user info to htpasswd via a CGI form, rather than using the automatically generated dialogue box that the web browser throws out? It wd just be nice to integrate password entry into the overall aesthetic of the site.

§ George Sherston

Comment on Integrating htpasswd and CGI Download Code

Replies are listed 'Best First'.
Re: Integrating htpasswd and CGI by simon.proctor (Vicar) on Feb 11, 2002 at 17:10 UTC
The only pitfalls with the htpasswd method that I can think of is that your username and password are transmitted in clear text over the network. Whilst this is true of most methods (unless you use certificates or https) it does limit this particular method of authentication. Additionally, unless you write some mod_perl code you are going to find it hard to expire a user (via timeout for example) as the htpasswd system does not cater for it. Well . . . not as far as I know at least ;P. Privileges, logging and custom session stuff are all out of the question too. Having said that, if you are just starting out with CGI and want to get some basic authentication methods under your belt then this is a fine place to start. I started with this and had a lot of fun with it. Good luck! :) As to your second question, if I understand you correctly you wish to use a htpasswd file as the means of storing user information. Well this is quite possible. From what I can tell, you should be able to collect the user information via a form and then compare the details against the file details. A quick search yielded: Tie::Htpasswd Which uses Apache::Htpasswd. These would make your life a lot easier.	[reply]
Re: Integrating htpasswd and CGI by thpfft (Chaplain) on Feb 11, 2002 at 17:05 UTC
I've done this a few times, and it does work very well. The only drawback I've encountered is that helpful browsers tend to make it very hard to log out without quitting (or to enforce an inactivity timeout), and you need special mechanisms to achieve a permanent login (which may seem like an advantage). The only way I'm aware of to force login or logout, which might incidentally answer your specific question, is to redirect the user to an address in the form http://user:password@foo.bar.com/baz/. Which is how my heath-robinson logout mechanism worked, but obviously isn't great for logging in. but i'm surprised you don't like the standard browser login window: it always seemed reassuring to me that this was the real thing and not some home-made cookie cutter. incidentally, for working with htpasswd files I would highly recommend KM's Apache::Htpasswd.	[reply]
(Ovid) Re: Integrating htpasswd and CGI by Ovid (Cardinal) on Feb 11, 2002 at 17:47 UTC
I just want to second the above comments about plain text and not being able to time out. The plain text issue is, of course, easily solved with an SSL connection (if you're curious about the `.htaccess` encoding, I describe it here). If you choose not to use SSL, make sure that you assign users passwords instead of allowing them to pick them. Then, when you assign them, make them difficult to use so they won't reuse them. Yes, they'll find that very annoying and will complain to you, but once their password gets sniffed because a non-encrypted connection was used, they'll be less likely to have reused the password elsewhere. The timeout issue is another problem. There is no direct way to time out an `.htaccess` authentication. People tend to forget that one of the worst security problems lies not with some cracker in Suburbia trying to break into your box, but the disgruntled coworker sitting next to you. Walking away from an open browser with a session that doesn't time out can have serious implications, even if the data being stored is trivial. Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]
Re: Integrating htpasswd and CGI by moodster (Hermit) on Feb 11, 2002 at 17:51 UTC
I'm not sure if you can send username and password via a form using only CGI.pm, but there are a couple of modules on CPAN which claim they can do it under mod_perl (supposedly they interact with the built-in perl interpreter in some magic way which I don't understand yet). So, you may want to check out Apache::AuthCookie and Apache::AuthTicket. When I designed my first (and only as of yet) interactive site I stuck to basic authentication but soon discovered its limitations. For example, there's no obvious way to create 'guest' accounts, and adding new users is a hassle. This assumes you are running under Apache of course, which I now realise you never said you did. Cheers, --Moodster	[reply]