Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Apache's .htpasswd files consist of user/password pairs, one pair per line, eg:

username1:unixcryptpassword username2:unixcryptpassword

The Apache::Htpasswd module provides the methods you will need to manage user accounts within .htpasswd (or other password files with the same format)- add and remove users, set & reset passwords. The module provides only an object orientated interface. For a more complete user management solution you may want to look at HTTPD::UserAdmin but for customised user management and integration with your site Apache::Htpasswd is a great tool.

Drawbacks:There is no way to list all the users in a passwd file. There is no method to find out if a specific user has an account. The fetchInfo() method can be bent to this purpose, but it returns "0" for an invalid account, otherwsise any info that is stored for that user or undef, to test for a user I wrapped it in a sub like this-

sub is_user { my $user = shift || return; my $info = $htpasswd->fetchInfo($user); return 0 if ($info eq '0'); return 1; }

Sample code

Here is a sample CGI script to allow a user to change their own password. It requires the user to know their own password first. This script should be run from within a .htaccess protected directory! It uses the $ENV{REMOTE_USER} variable which can be manipulated by an "attacker" however they would still then need to know the existing password for any user they specify.

#!/usr/bin/perl -wT # # BEGIN { # make the environment safe delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; $ENV{PATH} = ""; } use strict; use CGI; use CGI::Carp qw(fatalsToBrowser); use Apache::Htpasswd; my $cgi = new CGI; $|++; my %settings = (title => "htpasswd change page", dir => "/home/user/public_html/cgi-bin", htpasswd => ".htpasswd", fields => [ "old_passwd", "new_passwd", "new_passwd2 +" ], ); $settings{user} = $ENV{REMOTE_USER}; my $htpasswd = new Apache::Htpasswd("$settings{dir}/$settings{htpasswd +}"); print_page_headers($settings{title}); process_form(); print_form(); exit; sub process_form { return unless ( $cgi->param('change') ); my %data; for my $field ($cgi->param()){ if ( scalar grep /^\Q$field\E$/, @{$settings{fields}} ){ # its a field we know about my $tmp = substr($cgi->param($field), 0, 50); $tmp = lc($tmp) if ( $field eq "change_user_name" ); $data{$field} = $tmp || ''; } } if ( !$data{old_passwd} or !$data{new_passwd} or !$data{new_passwd2} + ){ print $cgi->p("You must fill out all fields!"); return; } if ( ! $htpasswd->htCheckPassword($settings{user}, $data{old_passwd} +) ){ print $cgi->p("Old password incorrect or invalid user name"); return; } if ( $data{new_passwd} eq $data{old_passwd} ){ print $cgi->p("New password must be different to old password!"); return; } if ( $data{new_passwd} ne $data{new_passwd2} ){ print $cgi->p("New passwords don't match!"); return; } if ( $data{new_passwd} !~ /^\S{6,8}$/ or $data{new_passwd} !~ /[^a-z +A-Z]+/ ){ print $cgi->p("New password must be 6-8 chars and contain at least + one number or punctuation character"); return; } $htpasswd->htpasswd($settings{user}, $data{new_passwd}, $data{old_pa +sswd}); if ( my $error = $htpasswd->error() ){ print $cgi->p("There was en error: [$error]"); } else { print $cgi->p("Password for $settings{user} was succesfully change +d"); } } sub print_page_headers { my $title = shift || "Page without a title"; print $cgi->header(); print $cgi->start_html($title); print $cgi->h2($title); print $cgi->hr(); return; } sub print_form { for (@{$settings{fields}} ){ $cgi->delete($_); } print $cgi->start_form(); print $cgi->b("Password Change for $settings{user}"); print $cgi->table({-border=>0}, $cgi->Tr( $cgi->td("Enter your ", $cgi->strong("old"), " password"), $cgi->td($cgi->password_field( -name => 'old_passwd', -value => '', -size => 10, -maxlength => 8))), $cgi->Tr($cgi->td("Enter your ", $cgi->strong("new"), " password"), $cgi->td($cgi->password_field( -name => 'new_passwd', -value => '', -size => 10, -maxlength => 10))), $cgi->Tr($cgi->td("Re-Enter your new password"), $cgi->td($cgi->password_field( -name => 'new_passwd2', -value => '', -size => 10, -maxlength => 10)), $cgi->td($cgi->submit( -name => 'change', -value => 'Change Password'))), ); print $cgi->end_form(), $cgi->hr(); print $cgi->end_html(); print "\n"; }

To prohibit downloading of your .htpasswd & associated files your .htaccess should look something like this:

AuthType Basic AuthName "Authorisation Required" AuthUserFile /path/to/.htpasswd <files ~ "^\.ht"> Order allow,deny Deny from all </files> <Limit GET POST> require user username </Limit>

In reply to Apache::Htpasswd by greenFox

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others having an uproarious good time at the Monastery: (5)
    As of 2018-05-26 06:41 GMT
    Find Nodes?
      Voting Booth?