Log all .htaccess/.htpasswd logins

A common request I get is how to view and/or log all usernames and passwords that clients use to access a website protected by htaccess basic authorization.

This article is BOSS and will show you how to fully take control of this aspect of security using php and .htaccess, I don't believe you will find how to do this anywhere else on the net.

On this page → [hide]

Getting the password sent by the user
.htaccess
1. log-htpasswd.php
2. example log-htpasswd.log
Debugging htaccess/htpasswd authorization
1. 1. create a file called login.php in your /cgi-bin/ and copy to /
2. Add this to your /home/user/domain.com/.htaccess
Apache Source Code
More Info

Getting the password sent by the user

This is the php code you can use to show the decrypted password that was sent by the client.

$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;

.htaccess

# This points to your logging script, doesn't have to be php
ErrorDocument 401 /log-htpasswd.php
 
AuthName "Pass"
AuthUserFile /.htpasswd
AuthType Basic
Require valid-user
 
# Set REMOTE_USER env variable on 401 ErrorDocument
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

log-htpasswd.php

<?php
define('LOGINS_LOG','/home/user/log-htpasswd.log');
 
if(isset($_ENV['REDIRECT_REMOTE_USER']) && !empty($_ENV['REDIRECT_REMOTE_USER'])){
 $fp = fopen(LOGINS_LOG, 'a+');
 fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']);
 fclose($fp);
}
 
ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>';
exit;
exit();
?>

example log-htpasswd.log

just a list of usernames attempted

username1
tom
rcowen
askapache
dreamhost
dreamadmin

Debugging htaccess/htpasswd authorization

1. create a file called login.php in your /cgi-bin/ and copy to /

<?php
define('LOGINS_LOG','/home/user/logins.log');
 
$fp = fopen(LOGINS_LOG, 'a+');
fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']."n");
fclose($fp);
 
ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>';
if($_SERVER['REMOTE_ADDR'] !== '208.113.183.103') die();
echo '<pre>';
$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;
print_r($_ENV);
print_r($_SERVER);
exit;
exit();
?>

Add this to your /home/user/domain.com/.htaccess

ErrorDocument 401 /logins.php
 
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$ [OR]
RewriteCond %{REQUEST_URI} ^/.*login*.php$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]
 
<files login.php>
AuthName "Protection"
AuthUserFile /home/user/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Files>

Now goto your web browser and request http://site.com/cgi-bin/login.php and try entering the wrong password, hitting cancel, entering the correct password, etc.

Apache Source Code

    case HTTP_PROXY_AUTHENTICATION_REQUIRED:
    case HTTP_UNAUTHORIZED:
        return("<p>This server could not verify that youn"
               "are authorized to access the documentn"
               "requested.  Either you supplied the wrongn"
               "credentials (e.g., bad password), or yourn"
               "browser doesn't understand how to supplyn"
               "the credentials required.</p>n");

More Info

January 29th, 2008

« Hackers Declare Total War against ScientologySearch Engine Verify Plugin Updated »

Comments Welcome

Davide

Hi,
I can't get your .htaccess log procedure workin. Can you help me?
It always return me error500
Thank You.
http://www.tiez.nl Asif

Hi,
I am having problem to log into the other domain's pages without popping up default login box. There are two domains involved in the application (PHP and APACHE based). At first domain I am authenticating user against AD.
Upon success I want to access other domains pages which are protected using htaccess rules without asking to reenter user credentials again. I want to bypass this rule.
When I tried sending username and password embedded inside url for e.g. 'http://user:password@www.domain.com'. I found that due to IE security fixes this idea doesn't seem to work.
Then I tried using cURL to bypass this rule. I got index page (Other domain's) output to first domain without redirecting to other domain. But problem is like whenever I tried to use the navigation functionality of this output for e.g. clicking on any of the links causes redirection into other domain pages and this again popups the login box.
Is there any solution to bypass this login process?
Jesse Fender
I cant seem to get anything to workfor me. it is driving me crazy, as i have followed 10 different directions on how i am supposed to go about doing this.
I am running an WinXP SP3 computer, with WAMP2.0 .
I can create the .htaccess file and the .htpasswd file and they seem to communicate however it will not allow me to log in, even though I have definatly typed it in correctly.
My .htaccess file as created here:
```
Order Deny,Allow
allow from all
AuthType Basic
AuthName "Protected By AskApache"
AuthUserFile /.htpasswd
Require user admin
```
.htpasswd file as created here:
```
admin:Protected By AskApache:b34b5b5d0a1775a0ca05bcde4e6bb6b6
admin:$apr1$S2lXd...$zec5jq3wMuN7ZYaN6ZkmM.
admin:{SHA}uCmFxVJD0zBc+hhcu0T+6xuqts0=
admin:S2ZFd.J3WQ7bY
```
The site refuses to respond to the attempts to log in, and i am at a loss...
Please help me....
Jesse Fender
http://unixsysadmin.org Brie

I am *so* doing this. This will be interesting info.
--
Brie

Kalil

do u put that in the address bar?

$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;

http://andrewchamp.com Andrew Champ

How about adding a time/date stamp to the log?

http://www.uyc.com hakeem

base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
 
echo $password;

http://www.outofdarkness.de cosmophobia

Why do you write!?
exit; exit();
- http://www.askapache.com/ AskApache
  
  Just to be safe for very old php versions.
Steve

how to generate log for who (user name), when (Date/time) & from where (IP Address) protected directory/file are attempt to access?
Please help me.
Thank you,
Steve.

Log all .htaccess/.htpasswd logins

Getting the password sent by the user

.htaccess

log-htpasswd.php

example log-htpasswd.log

Debugging htaccess/htpasswd authorization

1. create a file called login.php in your /cgi-bin/ and copy to /

Add this to your /home/user/domain.com/.htaccess

Apache Source Code

More Info

Comments Welcome

My Online Tools

Related Articles

Twitter

My Picks

Newest Posts

WordPress Development

Hacking and Hackers