Apache is a marvelous web server that offers .htpasswd and .htgroup for controlling restricted access to your website. By help of .htaccess, they work as a member login & user management system that is so simple and easy to deploy. You can even define user groups / roles with it.
Basically,
- .htpasswd defines pairs of username & password that are user accounts.
- .htgroup defines groups / roles of user accounts that can be access-controlled as a whole.
- .htaccess then applies .htpasswd and .htgroup to the current directory, and specifies which groups in .htgroup has access to the current directory.
For example, we have
/home/myuser/.htpasswd
user1:{SHA}kGPaD671VNU0OU5lqLiN/h6Q6ac=
user2:{SHA}npMqPEX3kPQTo+x/+ZckHDrIcQI=
user3:{SHA}q1Fh2LTUjjkncp11m0M9WUH5Zrw=
/home/myuser/.htgroup
admin: user2
editor: user1 user3
writer: user3
/home/myuser/public_html/example.com/member/.htaccess
AuthName "Members Area"
AuthType Basic
AuthUserFile /home/myuser/.htpasswd
AuthGroupFile /home/myuser/.htgroup
<Limit GET POST>
require group admin
require group writer
</Limit>
What they do is only let users in the admin and writer group, that is user2 and user3, to access example.com/member. When someone tries to access example.com/member, Apache would prompt him or her for user name and password, and he or she must be either user2 or user3 to access it — they must enter the correct password set out in .htpasswd for user2 or user3.
user1 isn’t allowed to access example.com/member even if the password is correct. You get the idea.
You can place .htaccess anywhere in your website, and it will control access to the directory it’s in by the defined rules (which groups / roles are allowed to access). Just make sure it is pointing to the right .htpasswd and .htgroup by AuthUserFile and AuthGroupFile.
And you can have multiple .htaccess in different directories of your website, using the same .htpasswd and .htgroup.
This is so simple yet so very handy in creating & managing different users and user roles (.htpasswd, .htgroup) and giving them permissions (.htaccess) in accessing different website assets.
PHP Class
Now that you are familiar with the basic authentication and native user management system in Apache, you can use this two simple PHP classes to automate tasks such as user creation, user deletion, adding user to group, and removing user from group.
class Htpasswd
class Htpasswd {
private $file = '';
private $salt = 'AynlJ2H.74VEfI^BZElc-Vb6G0ezE9a55-Wj';
private function write($pairs = array()) {
$str = '';
foreach ($pairs as $username => $password) {
$str .= "$username:{SHA}$password\n";
}
file_put_contents($this -> file, $str);
}
private function read() {
$pairs = array();
$fh = fopen($this -> file, 'r');
while (!feof($fh)) {
$pair_str = str_replace("\n", '', fgets($fh));
$pair_array = explode(':{SHA}', $pair_str);
if (count($pair_array) == 2) {
$pairs[$pair_array[0]] = $pair_array[1];
}
}
return $pairs;
}
private function getHash($clear_password = '') {
if (!empty($clear_password)) {
return base64_encode(sha1($clear_password, true));
} else {
return false;
}
}
public function __construct($file) {
if (file_exists($file)) {
$this -> file = $file;
} else {
die($file." doesn't exist.");
return false;
}
}
public function getUsers() {
return $this -> read();
}
public function addUser($username = '', $clear_password = '') {
if (!empty($username) && !empty($clear_password)) {
$all = $this -> read();
if (!array_key_exists($username, $all)) {
$all[$username] = $this -> getHash($clear_password);
$this -> write($all);
}
} else {
return false;
}
}
public function deleteUser($username = '') {
$all = $this -> read();
if (array_key_exists($username, $all)) {
unset($all[$username]);
$this -> write($all);
} else {
return false;
}
}
public function doesUserExist($username = '') {
$all = $this -> read();
if (array_key_exists($username, $all)) {
return true;
} else {
return false;
}
}
public function getClearPassword($username) {
return strtolower(substr(sha1($username.$this -> salt), 4, 12));
}
}
class Htgroup
class Htgroup {
private $file = '';
private function write($groups = array()) {
$str = '';
foreach ($groups as $group => $users) {
$users_str = '';
foreach ($users as $user) {
if (!empty($users_str)) {
$users_str .= ' ';
}
$users_str .= $user;
}
$str .= "$group: $users_str\n";
}
file_put_contents($this -> file, $str);
}
private function read() {
$groups = array();
$groups_str = file($this -> file, FILE_IGNORE_NEW_LINES);
foreach ($groups_str as $group_str) {
if (!empty($group_str)) {
$group_str_array = explode(': ', $group_str);
if (count($group_str_array) == 2) {
$users_array = explode(' ', $group_str_array[1]);
$groups[$group_str_array[0]] = $users_array;
}
}
}
return $groups;
}
public function __construct($file) {
if (file_exists($file)) {
$this -> file = $file;
} else {
die($file." doesn't exist.");
return false;
}
}
public function getGroups() {
return $this -> read();
}
public function addUserToGroup($username = '', $group = '') {
if (!empty($username) && !empty($group)) {
$all = $this -> read();
if (isset($all[$group])) {
if (!in_array($username, $all[$group])) {
$all[$group][] = $username;
}
} else {
$all[$group][] = $username;
}
$this -> write($all);
} else {
return false;
}
}
public function deleteUserFromGroup($username = '', $group = '') {
$all = $this -> read();
if (array_key_exists($group, $all)) {
$user_index = array_search($username, $all[$group]);
if ($user_index !== false) {
unset($all[$group][$user_index]);
if (count($all[$group]) == 0) {
unset($all[$group]);
}
$this -> write($all);
}
} else {
return false;
}
}
public function getGroupsByUser($username = '') {
$all = $this -> read();
$user_groups = array();
foreach ($all as $group => $users) {
if (in_array($username, $users)) {
$user_groups[] = $group;
}
}
return $user_groups;
}
}
Usage
First, you should use your own $salt. Change the value of $salt in the Htpasswd class to something else for your own application.
To instantiate the classes:
$passwdHandler = new Htpasswd('/home/myuser/.htpasswd');
$groupHandler = new Htgroup('/home/myuser/.htgroup');
To create and delete a user:
// Add a user with name 'user1' and password 'I prefer to use passphrase rather than password.' if it doesn't exist in .htpasswd.
$passwdHandler -> addUser('user1', 'I prefer to use passphrase rather than password.');
// Delete the user 'user1' if it exists in .htpasswd.
$passwdHandler -> deleteUser('user1');
To check if a particular user exists in .htpasswd:
// Check if user 'user1' exists in .htpasswd.
if ($passwdHandler -> doesUserExist('user1')) {
// User 'user1' exists.
}
To get the clear text password for a particular user (Apache stores passwords in .htpasswd as encoded strings):
// Get the clear password for user 'user1'.
echo $passwdHandler -> getClearPassword('user1');
To add a user to a group:
// Add user 'user1' to group 'admin' in .htgroup. Group will be automatically created if it doesn't exist.
$groupHandler -> addUserToGroup('user1', 'admin');
To delete a user from a group (user still exists in .htpasswd, just not associated with the group any more):
// Delete user 'user1' from group 'admin' in .htgroup. Group will be automatically removed if it doesn't contain any users.
$groupHandler -> deleteUserFromGroup('user1', 'admin');
To get a list of groups a particular user is assigned to:
/* Get an array of groups that 'user1' is a member of. */
$user_groups = $groupHandler -> getGroupsByUser('user1');
Conclusion
This ain’t concluded. It’s just an END notice. Feel free to let me know your thoughts and how my classes work for you.
getClearPassword() ….
Can SHA1 be decoded?
That’s for generating the random password. It’s not decoding.
Nice examples.