Log all .htaccess/.htpasswd loginsJanuary 29th, 2008
« Advanced WordPress 404.phpSearch Engine Verify Plugin Updated »
A common request I get is how to view and/or log all usernames and passwords that clients use to access a website protected by htaccess basic authorization.
This article is BOSS and will show you how to fully take control of this aspect of security using php and .htaccess, I don’t believe you will find how to do this anywhere else on the net.
Getting the password sent by the user
This is the php code you can use to show the decrypted password that was sent by the client.
$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;
.htaccess
# This points to your logging script, doesn't have to be php
ErrorDocument 401 /log-htpasswd.php
AuthName "Pass"
AuthUserFile /.htpasswd
AuthType Basic
Require valid-user
# Set REMOTE_USER env variable on 401 ErrorDocument
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]
log-htpasswd.php
<?php
define('LOGINS_LOG','/home/user/log-htpasswd.log');
if(isset($_ENV['REDIRECT_REMOTE_USER']) && !empty($_ENV['REDIRECT_REMOTE_USER'])){
$fp = fopen(LOGINS_LOG, 'a+');
fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']);
fclose($fp);
}
ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn\'t understand how to supply
the credentials required.</p>';
exit;
exit();
?>
example log-htpasswd.log
just a list of usernames attempted
username1 tom rcowen askapache dreamhost dreamadmin
Debugging htaccess/htpasswd authorization
1. create a file called login.php in your /cgi-bin/ and copy to /
<?php
define('LOGINS_LOG','/home/user/logins.log');
$fp = fopen(LOGINS_LOG, 'a+');
fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']."\n");
fclose($fp);
ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn\'t understand how to supply
the credentials required.</p>';
if($_SERVER['REMOTE_ADDR'] !== '208.113.183.103') die();
echo '<pre>';
$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;
print_r($_ENV);
print_r($_SERVER);
exit;
exit();
?>
Add this to your /home/user/domain.com/.htaccess
ErrorDocument 401 /logins.php
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$ [OR]
RewriteCond %{REQUEST_URI} ^/.*login*\.php$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]
<Files login.php>
AuthName "Protection"
AuthUserFile /home/user/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Files>
Now goto your web browser and request http://site.com/cgi-bin/login.php and try entering the wrong password, hitting cancel, entering the correct password, etc.
Apache Source Code
case HTTP_PROXY_AUTHENTICATION_REQUIRED:
case HTTP_UNAUTHORIZED:
return("<p>This server could not verify that you\n"
"are authorized to access the document\n"
"requested. Either you supplied the wrong\n"
"credentials (e.g., bad password), or your\n"
"browser doesn't understand how to supply\n"
"the credentials required.</p>\n");
More Info
- Custom Error Responses
- Authentication, Authorization and Access Control
- Apache Module mod_access
- Apache Module mod_auth
- ErrorDocument Directive
« Advanced WordPress 404.phpSearch Engine Verify Plugin Updated »
Similar Reads
- Update: AskApache Password Protect Plugin
- Allowing Access From 1 static IP and Deny the rest
- Troubleshooting Apache .htaccess Authentication
- .htpasswd file Generator
- Control htaccess Basic Authentication with PHP and mod_rewrite
- Apache Authentication in htaccess
- htaccess HTTPS / SSL Tips, Tricks, and Hacks
- New Version of Password Protection Plugin
- Using FilesMatch and Files in htaccess
Tags: htaccess, htpasswd, htpasswd login
Sponsors
Someone's Reading
- Log all .htaccess/.htpasswd logins
- Advanced WordPress 404.php
- Hackers Declare Total War against Scientology
- Is Your Password Crackable?
- Firefox Adsense WordPress Plugin
- Come On and Sprite for your Website
- Skeleton .htaccess file for Powweb Hosting
- Custom Boot Menu in Windows XP
Related Articles
- Update: AskApache Password Protect Plugin
- Allowing Access From 1 static IP and Deny the rest
- Troubleshooting Apache .htaccess Authentication
Most Popular 100
- Abbr and Acronym examples
- Speed Up Sites with htaccess Caching
- Undetectable Sniffing On Ethernet
- SEO with Robots.txt
- Custom PHP.ini tips and tricks
Newest Posts
- The Final Countdown – Mario Bros Style
- Make Windows XP Blazingly Fast
- Student under Criminal Investigation for Allegedly Sending Email
Random
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
It's very simple -
you read the protocol
and write the code.
-Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | WAI | DISA | ICSI | GIAC | SANS RR | GHOST
Authority: 110 ↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed according to these terms. "Apache" is a trademark of The ASF.
Hi,
I am having problem to log into the other domain’s pages without popping up default login box. There are two domains involved in the application (PHP and APACHE based). At first domain I am authenticating user against AD.
Upon success I want to access other domains pages which are protected using htaccess rules without asking to reenter user credentials again. I want to bypass this rule.
When I tried sending username and password embedded inside url for e.g. ‘
http://user:password@www.domain.com‘. I found that due to IE security fixes this idea doesn’t seem to work.Then I tried using cURL to bypass this rule. I got index page (Other domain’s) output to first domain without redirecting to other domain. But problem is like whenever I tried to use the navigation functionality of this output for e.g. clicking on any of the links causes redirection into other domain pages and this again popups the login box.
Is there any solution to bypass this login process?
Hi,
I can’t get your .htaccess log procedure workin. Can you help me?
It always return me error500
Thank You.