if you use .htaccess files, as you suggest, then changing the access restrictions doesn't mean you have to restart the server. It sounds like all you need is to throw together a friendly front end.

There are two CPAN modules that will do nearly all that work for you: Apache::Htaccess and Apache::Htpasswd provide object-oriented interfaces to their respective files and the usual directives, and should make changing authentication policies and adding users a very simple job.

You don't have to put htaccess directives in the httpd.conf, you can also put them in a .htaccess file in the directory you want to protect, which does not require restarting apache. Perl can generate the encrypted passwords using the crypt() function (perldoc -f crypt).

Thanks for comments. What salt should i throw at crypt to mimic the htaccess crypt? i'm trying to write a htpasswd file in perl. if the password is birthday. I want to generate the .htpasswd file. so in perl i could say.

#!/usr/bin/perl
use strict;
my $passw = "birthday";
print crypt($passw,"SALT");
[download]

But the output doesn't match the shadow password file. I thought these needed to match. Here's my .htaccess file if it helps.

AuthName "Clients/jtrue"
AuthType Basic
AuthUserFile /home/latitude38productions/.htpasswd
Require valid-user
[download]

thanks for reading.

From perldoc -f crypt:

  When verifying an existing encrypted string you should use the
  encrypted text as the salt (like "crypt($plain, $crypted) eq
  $crypted"). This allows your code to work with the standard
  "crypt" and with more exotic implementations.
[download]

Works perfectly with htpasswd.

Update: Or you could try Apache::Htpasswd.

    $foo = new Apache::Htpasswd({passwdFile => "path-to-file",
                 ReadOnly   => 1}
                );
    # Check that a password is correct
    $pwdFile->htCheckPassword("zog", "password");
[download]

use CGI;
my $request = CGI->new;
if( $ENV{'REMOTE_USER'} eq "sutch" && $ENV{'REMOTE_PASSWD' } eq "myb4d
+" ) {
  # user is authenticated
  print $request->header;
  # return restricted web page here
} else {
  print $request->header( '-status' => '401 Authentication required', 
+'-auth-type' => 'Basic', '-WWW-Authenticate' => 'Basic realm="My Rest
+ricted Area"' );
  # return failed authentication message here
}
[download]

A benefit of handling the authentication yourself is that you can also expire authenticated sessions and allow users to logout. This can be done by returning a 401 status with different realm text.

This sounds interesting.

But i'm not getting the environment variables REMOTE_USER and REMOTE_PASSWD returning anything. I login successfully with htaccess but neither return anything.

#!/usr/bin/perl
use CGI;
my $request = CGI->new;
print $request->header;
print <<EOM;
CHECK/$ENV{'REMOTE_USER'}/$ENV{'REMOTE_PASSWD'}
EOM
exit;
[download]

This is running on Win2k Apache2 BTW.

thanks update

$ENV{'REMOTE_USER'} will return but $ENV{'REMOTE_PASSWD'} will not