A free and open-source book on Zend Framework for beginners


2.9. HTTP Authentication

You may want to allow access to your site to certain users. For example, when you are demonstrating your website to your boss, you will give her username and password for logging into your site.

To allow access to your website by username and password, you can modify the virtual host file as follows:

...
<Directory /home/username/helloworld/public/>
    DirectoryIndex index.php
    AllowOverride All
    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile /usr/local/apache/passwd/passwords
    Require valid-user
</Directory>
...

Line 5 defines Basic authentication method. The most common method is Basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data. Apache supports one other authentication method: AuthType Digest. This method is much more secure. Most recent browsers support Digest authentication.

Line 6 defines the text that will be displayed to user when he tries to log in.

Line 7 defines the file where passwords will be stored. This file should be created with the htpasswd utility.

Line 8 will allow anyone to log in that is listed in the password file, and who correctly enters their password.

To create passwords file, type the following command:

htpasswd -c /usr/local/apache/passwd/passwords <username>

In the command above, you should replace the <username> placeholder with the name of the user. You can choose an arbitrary name, for example "admin". The command will request the user's password and write the password to the file:

# htpasswd -c /usr/local/apache/passwd/passwords <username>
New password: 
Re-type new password: 
Adding password for user <username>

When the user tries to visit the site, he/she sees the HTTP authentication dialog. To log into your site, the visitor should enter the correct username and password.

For additional information on HTTP authentication, you can refer to Authentication and Authorization topic of Apache documentation.


Top