Specifications
LISTING 14.7 .htaccess—An .htaccess File Can Set Many Apache Configuration Settings,
Including Activating Authentication
ErrorDocument 401 /chapter14/rejection.html
AuthUserFile /home/book/.htpass
AuthGroupFile /dev/null
AuthName “Realm-Name”
AuthType Basic
require valid-user
Listing 14.7 is an .htaccess file to turn on basic authentication in a directory. Many settings
can be made in an .htaccess file, but the six lines in our example all relate to authentication.
The first line
ErrorDocument 401 /chapter14/rejection.html
tells Apache what document to display for visitors who fail to authenticate. You can use other
ErrorDocument directives to provide your own pages for other HTTP errors such as 404. The
syntax is
ErrorDocument error_number URL
For a page to handle error 401, it is important that the URL given is publicly available. It
would not very useful in providing a customized error page to tell people that their authoriza-
tion failed if the page is locked in a directory in which they need to successfully authenticate
to see.
The line
AuthUserFile /home/book/.htpass
tells Apache where to find the file that contains authorized users’ passwords. This is often
named .htpass, but you can give it any name you prefer. It is not important what this file is
called, but it is important where it is stored. It should not be stored within the Web tree—
somewhere that people can download it via the Web server. Our sample .htpass file is shown
in Listing 14.8.
As well as specifying individual users who are authorized, it is possible to specify that only
authorized users who fall into specific groups may access resources. We have chosen not to, so
the line
AuthGroupFile /dev/null
sets our AuthGroupFile to point to /dev/null, a special file on UNIX systems that is guaran-
teed to be null.
Implementing Authentication with PHP and MySQL
C
HAPTER 14
14
IMPLEMENTING
AUTHENTICATION
317
18 7842 CH14 3/6/01 3:35 PM Page 317