Building A Quick-And-Dirty Guestbook With patGuestbook (part 2) - Locking It Down (
Page 7 of 8 )
If there is one drawback to the patGuestbook application, it is the lack
of security for the administration module. By default, patGuestbook leaves the
entire administration section totally unprotected and open to malicious attacks.
If you're using the Apache Web server (you probably are), you can access the server's
authentication features to add basic security to this section.
In order to illustrate how this works, let's consider a simple example. Let's
assume the existence of the following directory structure:
/usr/local/apache/htdocs/patGuestbook/
example.php
/admin/
guestbook.php
Now, let's suppose that I want to protect the directory "admin". It's fairly
simple to do with HTTP authentication.
The first step is to ensure that your Apache build includes support for the "mod_auth"
module. You can check this by executing the Apache binary with the "-l" command-line
option.
$ /usr/local/apache/bin/httpd -l
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_setenvif.c
mod_php4.c
If you don't see "mod_auth" in the list, you'll need to recompile Apache with
support for that module.
Next, check Apache's configuration file, "httpd.conf", and ensure that the option
AllowOverride All
is present in the section for the server document root. This allows you to override
global server settings via per-directory ".htaccess" control files.
Next, create a file named ".htaccess" in the "admin" directory, and put the following
lines into it:
AuthType Basic
AuthUserFile /usr/local/apache/users
AuthName "patGuestbook Administration
Module"
Require valid-user
This tells the server that access to the "admin" directory (the directory in
which the ".htaccess" file is located) is to be controlled, and access is to be
granted to users based on the username/password information in the file "/usr/local/apache/users"
The final step is to create the "users" file. Change to the "/usr/local/apache"
directory (or whichever directory you've decided to store the user data in) and
use the "htpasswd" command:
$ htpasswd -c users john
New password: ****
Re-type new password: ****
Adding
password for user john
You can add more users to this file if you like (remember to omit the "-c" parameter
for all subsequent additions, as that parameter creates a brand-new, empty file).
Remember *not* to store the "users" file in a directory under the server document
root, or else malicious users will be able to view and download the password database
through a browser.
Now, attempt to access the "admin" directory via your Web browser. The browser
should pop up a dialog box and prompt you for a username and password. Access
to the "admin" directory will be granted only if you enter a correct username
and password, as defined in the "users" file.
Note that this is very primitive authentication, and can substantially add to
the load on your Web server if it involves a large number of users. For a more
comprehensive solution, take a look at
User Authentication with patUser
