File_HtAccess provides common methods to create and manipulate Apache / NCSA style .htaccess files. These files together with accompanying password files are used to protect webserver directories. Since File_HtAccess does not provide any means to manipulate or create password files you should use it together with File_Passwd.
The most common and the original purpose of .htaccess files is to create per-directory password protection of resources. With modern webservers there is vast amount of other things .htaccess files can do. These include: custom error pages, ip based access control, redirecting users automatically, denying directory listing and using different files as an index file.
File_HtAccess concentrates only to password protection of directories, although it is possible to use it to control other things mentioned above too.
A .htaccess file is built from the following basic directives. They differ a bit whether youre using Basic or Digest authentication.
Table 38-1. Directives
Directive | Purpose |
---|---|
AuthType | Authentication type being used, "Basic" or "Digest". |
AuthName | Authentication realm or name. |
AuthUserFile | Full path to password file if using Basic authentication. |
AuthGroupFile | Full path to group file if using Basic authentication. |
AuthDigestFile | Full path to password file if using Digest authentication. |
AuthDigestGroupFile | Full path to group file if using Digest authentication. |
Require | Requirements which must be met to grant access. |
File_HtAccess provides method accessor methods with corresponding names for each of these directives, such as getAuthType() and setAuthType().
A typical .htaccess file looks like this:
AuthName "Protected" AuthType Basic AuthUserFile /usr/local/apache/conf/users.dat require valid-user |
When a client requests resource protected with basic authentication webserver responds with a 401 Authentication Required header. When client receives 401 header it asks the user for username and password. If authentication succeeds, the protected resource will be sent to the client. Otherwise the access will be denied.
Even though the passwords are stored encrypted on serverside they are sent cleartext between client and server when using Basic authentication. With Digest authentication the passwords are never sent cleartext but as a MD5 digest instead. The caveat is, most browsers do not support Digest authentication.