Log all .htaccess/.htpasswd logins

htaccess htpasswd with phpA common request I get is how to view and/or log all usernames and passwords that clients use to access a website protected by htaccess basic authorization.

This article is BOSS and will show you how to fully take control of this aspect of security using php and .htaccess, I don't believe you will find how to do this anywhere else on the net.

Getting the password sent by the user

This is the php code you can use to show the decrypted password that was sent by the client.

$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;

.htaccess

# This points to your logging script, doesn't have to be php
ErrorDocument 401 /log-htpasswd.php

AuthName "Pass"
AuthUserFile /.htpasswd
AuthType Basic
Require valid-user

# Set REMOTE_USER env variable on 401 ErrorDocument
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

log-htpasswd.php

<?php
define('LOGINS_LOG','/web/user/log-htpasswd.log');

if(isset($_ENV['REDIRECT_REMOTE_USER']) && !empty($_ENV['REDIRECT_REMOTE_USER'])){
 $fp = fopen(LOGINS_LOG, 'a+');
 fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']);
 fclose($fp);
}

ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1 id="Authorization_Required">Authorization Required <a class="sl" href="#Authorization_Required"></a></h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>';
exit;
exit();
?>

example log-htpasswd.log

just a list of usernames attempted
username1
tom
rcowen
askapache
dreamhost
dreamadmin

Debugging htaccess/htpasswd authorization

1. create a file called login.php in your /cgi-bin/ and copy to /

<?php
define('LOGINS_LOG','/web/user/logins.log');

$fp = fopen(LOGINS_LOG, 'a+');
fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']."n");
fclose($fp);

ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1 id="Authorization_Required-s0">Authorization Required <a class="sl" href="#Authorization_Required-s0"></a></h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>';
if($_SERVER['REMOTE_ADDR'] !== '208.113.183.103') die();
echo '<pre>';
$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;
print_r($_ENV);
print_r($_SERVER);
exit;
exit();
?>

Add this to your /web/user/domain.com/.htaccess

ErrorDocument 401 /logins.php

RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$ [OR]
RewriteCond %{REQUEST_URI} ^/.*login*.php$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

<files login.php>
AuthName "Protection"
AuthUserFile /web/user/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Files>
Now goto your web browser and request http://site.com/cgi-bin/login.php and try entering the wrong password, hitting cancel, entering the correct password, etc.

Apache Source Code

    case HTTP_PROXY_AUTHENTICATION_REQUIRED:
    case HTTP_UNAUTHORIZED:
        return("<p>This server could not verify that youn"
               "are authorized to access the documentn"
               "requested.  Either you supplied the wrongn"
               "credentials (e.g., bad password), or yourn"
               "browser doesn't understand how to supplyn"
               "the credentials required.</p>n");

More Info

Htaccess

Comments