csdco Posted June 25, 2010 Share Posted June 25, 2010 Is this a safe practice, why or why not? I guess you'd never want .htaccess or .htpasswd to be owned by the www group or permissions set to 755, but it sure would make things easier for me to allow some customers to update their .htpasswd passwords without requiring me to set them up manually. Quote Link to comment Share on other sites More sharing options...
RopeADope Posted June 25, 2010 Share Posted June 25, 2010 Wouldn't it be easier to set up the usernames and passwords in a database? Quote Link to comment Share on other sites More sharing options...
csdco Posted June 25, 2010 Author Share Posted June 25, 2010 Typically, yes, that's what I'd do. But in some instances a customer may have a directory (/admin for example) that houses multiple subdirectories, scripts, files, etc., that need to be readily available but not given public access. A very quick and secure method of locking these down is to throw .htpasswd on the /admin directory (and subsequently all sub-dirs). In these cases, I'd like to allow them to update the password quickly via the control panel that's been setup. It would be as simple as creating the hashed password and truncating and then writing the contents to the .htpasswd file, but is this considered secure? Quote Link to comment Share on other sites More sharing options...
RopeADope Posted June 25, 2010 Share Posted June 25, 2010 Just a thought, I'm still a PHP novice, but what if you had the passwords in the database, and just temporarily granted access to certain directories based on their login credentials, that way you'd leave the htpasswd files in tact, but still allow users access. Basically have your application change directory permissions on login, then lock them down on logout(this may be less efficient but I'm positive). This would make your application the only method of accessing the files instead of possibly opening up holes via constant htpasswd modification. On a side note, if you wanted to go the route of allowing users to mod their htpasswd files, I'd assume it'd be safe as long as the traffic is encrypted and the update method was failsafe(e.g. trim unneeded chars, etc). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.