The following discussions involve not only CGI script security, but also Apache and Linux configuration and administration.
Your web site may have some restricted content, such as premium pages
for registered customers or administrative functions for web site
authentication to establish the
identity of the visitor.
The simplest authentication method in Apache is
This requires a password file on the web server and a
require directive in a config file:
<Location /auth_demo_dir> AuthName "My Authorization" AuthType Basic # Note: Keep the password files in their own directory AuthUserFile /usr/local/apache/auth_dir/auth_demo_password " Order deny, allow Require valid-user </Location>
I suggest storing password files in their own directories, outside
the document root. You may use subdirectories to segregate files by
user or virtual host. This is more manageable than
.htaccess files all over the site, and it keeps
Apache running faster.
You can specify any matching user, a list of users, or a list of groups:
require valid-user require user
user2... require group
Where are the names and passwords stored? The simplest, specified by
AuthUserFile in the example, is a flat text file
on the server. To create the password file initially, type the
htpasswd -c /usr/local/apache/auth_dir/auth_demo_password
To add entries to the password file:
htpasswd /usr/local/apache/auth_dir/auth_demo_password ...