Programmatically building htpasswd
.httpasswd files are just text files with a specific format depending on the hash function specified. If you are using MD5 they look like this:
foo:$apr1$y1cXxW5l$3vapv2yyCXaYz8zGoXj241
That's the login, a colon, ,$apr1$, the salt and 1000 times md5 encoded as base64. If you select SHA1 they look like this:
foo:{SHA}BW6v589SIg3i3zaEW47RcMZ+I+M=
That's the login, a colon, the string {SHA} and the SHA1 hash encoded with base64.
If your language has an implementation of either MD5 or SHA1 and base64 you can just create the file like this:
<?php
$login = 'foo';
$pass = 'pass';
$hash = base64_encode(sha1($pass, true));
$contents = $login . ':{SHA}' . $hash;
file_put_contents('.htpasswd', $contents);
?>
Here's more information on the format:
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
How to programmatically build an APR1-MD5 using PHP
It turns out I made a mistake and this function does in fact create working APR1 htpasswd entries. They do look different to the ones Apache creates but they do work.
HTTP-Authentication with .htpasswd file
I doubt that there is direct way to ask apache for authenticating user, but there are few workarounds for it:
- implement missing algos for yourself: APR1-MD5, SHA
- Use with
shell_exec("htpasswd -nb $user $password")
to generate hash and check in .htpasswd file - Setup virtual server on internal interface that uses .htpasswd file to authenticate and perform curl call (with user credentials) to it, checking response header (200 for authorized, 4xx for not authorized)
How do I parse and use htpasswd files in C#
I recently added support for Apache MD5 to CryptSharp. It can compute and verify these passwords for you. Since it's a variant you'll need to give an extra parameter to the Crypter.MD5.Crypt() method:
string cryptedPassword = Crypter.MD5.Crypt("HelloWorld", new CrypterOptions
{
{ CrypterOption.Variant, MD5CrypterVariant.Apache }
}));
To verify:
bool matches = Crypter.CheckPassword("HelloWorld", cryptedPassword);
You can also verify using the Crypt() method itself, but CheckPassword() automatically determines if it's Apache MD5, DES, etc.
Hope this helps
James
how to generate a hash like apache's htpasswd using java
Passwords in Apache .htpasswd files are encoded using a salt. If you want to generate these passwords using Java you'll need to do the same. This site has an explanation of the salt/hashing algorithm used for Apache's .htpasswd files; I am looking for an actual algorithm you could use and will edit my answer after I find one.
EDIT: Looks like it's been asked before, right here on SO:
Programmaticly building htpasswd
Here's the documentation from Apache, along with their source code:
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co
Can I programmatically log a user out of .htaccess authorization?
<?
// this PHP will cause a logout event, and give the login prompt again
$AuthName='WHAT-EVER'; // must match AuthName in .htaccess.
header('HTTP/1.0 401 Unauthorized');
header('Content-type: text/html');
header('WWW-Authenticate: Basic realm="'.$AuthName.'"');
// now redirect them when they click cancel
// should be to a page with no password required.
// use an HTML meta redirect instead of HTTP
// so it runs after the auth is cancelled.
?>
<html><head><meta http-equiv='refresh' content='0;../'></head></html>
Add a comment on .htpasswd
Apache's config file format (of which .htaccess
files are one example) doesn't technically support inline comments, only full-line comments (i.e. a line beginning with a #
).
Lines that begin with the hash character "#" are considered comments, and are ignored. Comments may not be included on a line after a configuration directive. -- Official Apache 2.4 manual
How to automate generation of htpasswd from command line without typing password?
Why not just use:
htpasswd -b -c ~/temp/password admin test101
Generating htpasswd entry using R
Coming back to this....
The bcrypt package provides an R interface to the blowfish password hashing algorithm, and can be used to generate a suitable file. There don't seem to be packages for the other algorithms, but this one works.
library(bcrypt)
user_list <- list(
c("user1", "password1")
)
user_str <- sapply(user_list, function(x) paste(x[1], hashpw(x[2]), sep=":"))
writeLines(user_str, "auth")
Login page vs. htpasswd - Which is more secure?
I'd say always the login form (by which I assume you mean standard session-based authentication).
.htaccess
authentication transmits the password on every request (Of course, SSL would help here).htaccess
authentication doesn't have any rate limiting / brute-force protection by default in ApacheLogging out from
.htaccess
authentication is a bitch
Related Topics
PHP Jquery Ajax Call Throws Net::Err_Empty_Response
How to Get PHP, Symlinks and _File_ to Work Together Nicely
How to Iterate Through Dom Elements in PHP
.Htaccess Redirect Non-Www to Www Preserving Uri String
How to Get User Image with Twitter API 1.1
How to Get All Checkbox Variables Even If Not Checked from HTML to PHP
How to Loop Through JSON Array
How to Send Email from Local Wamp Server Using PHP
Converting HTML Table to a CSV Automatically Using PHP
Class 'App\Http\Controllers\Db' Not Found and I Also Cannot Use a New Model
Doctrine2 Association Mapping with Conditions
Fetching One Row Only with MySQLi
Laravel Many to Many Self Referencing Table Only Works One Way
How to Specify Multiple Return Types on PHP 7