Specifications
Using Basic Authentication with Apache’s .htaccess
Files
We can achieve very similar results to the previous script without writing a PHP script.
The Apache Web server contains a number of different authentication modules that can be used
to decide the validity of data entered by a user. The easiest to use is mod_auth, which compares
name-password pairs to lines in a text file on the server.
In order to get the same output as the previous script, we need to create two separate HTML
files, one for the content and one for the rejection page. We skipped some HTML elements in
the previous examples, but really should include
<html> and <body> tags when we are generat-
ing HTML.
Listing 14.5 contains the content that authorized users see. We have called this file
content.html. Listing 14.6 contains the rejection page. We have called this rejection.html.
Having a page to show in case of errors is optional, but it is a nice, professional touch if you
put something useful on it. Given that this page will be shown when a user attempts to enter a
protected area but is rejected, useful content might include instructions on how to register for a
password, or how to get a password reset and emailed if it has been forgotten.
LISTING 14.5 content.html—Our Sample Content
<html><body>
<h1>Here it is!</h1>
<p>I bet you are glad you can see this secret page.
</body></html>
LISTING 14.6 rejection.html—Our Sample 401 Error Page
<html><body>
<h1>Go Away!</h1>
<p>You are not authorized to view this resource.
</body></html>
There is nothing new in these files. The interesting file for this example is Listing 14.6. This
file needs to be called .htaccess, and will control accesses to files and any subdirectories in
its directory.
E-commerce and Security
P
ART III
316
18 7842 CH14 3/6/01 3:35 PM Page 316