How to set up a web directory protected with user and password using HTTP basic authentication
HTTP Basic Auth is very common in the web, although it is not the most secure one.
It’s simplicity makes it a simple choice to add a layer of security to web directory quickly, not needing sessions nor cookies.
HTTP Basic authentication needs that a client provides a username and password when making a request.
The “Basic” Hypertext Transfer Protocol (HTTP) authentication scheme, transmits credentials as user-id/password pairs, encoded using Base64
Steps to secure a directory
To use HTTP Basic Authentication on a server, you need to create two files
.htaccess: specifies which directory to protect
.htpasswd: passwords file
The each time you access the directory of
.htaccess it asks for
username and password validating it against
We will end up having this directories structure:
/home /secure /apasswords ... /var /www /myprotected .htaccess
Create Apache .htaccess
.htaccess file inside each directory that will be protected
with the following content, in this case in
AuthType Basic AuthName "Restricted Access" AuthUserFile /home/secure/apasswords Require valid-user
We use the
htpasswd command to manage user files for basic
$ htpasswd --help Usage: htpasswd [-cimBdpsDv] [-C cost] passwordfile username htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password htpasswd -n[imBdps] [-C cost] username htpasswd -nb[mBdps] [-C cost] username password -c Create a new file. -n Don't update file; display results on stdout. -b Use the password from the command line rather than prompting for it. -i Read password from stdin without verification (for script usage). -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). -D Delete the specified user. -v Verify password for the specified user. On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
Create passwords file
Create a directory outside apache document root, only Apache should access the password file.
htpasswd -c creates the passwdfile.
$ mkdir -p /home/secure/ $ chmod 0660 /home/secure/apasswords # Create password file with user foobar $ htpasswd -c /home/secure/apasswords foobar New password: Re-type new password: Adding password for user foobar # In this case the server user and group is www-data $ chown www-data:www-data /home/secure/apasswords
/home/secure/apasswords must be only readable by Apache web server
mkdir -p creates all the folder structure specified in the
To add more users
To change or add more users of the file, the same command can be used
-c option, to add the user
$ htpasswd .htpasswd john New password: Re-type new password: Adding password for user foobar
Changing existing users passwords
We execute the same command with the user that we want to change:
$ htpasswd .htpasswd john New password: Re-type new password: Updating password for user foobar
The HTTP Basic authentication has several issues that makes it insecure in some scenarios, the standard itself states:
This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external secure system such as TLS (Transport Layer Security, [RFC5246]), as the user-id and password are passed over the network as cleartext.
|HTTP Basic auth issue||Insecurity issue|
|Password is sent in base64 encoding||Password can be converted to plaintext (solved by using [Secure Sockets Layer])|
|Password is sent for each request||Larger attack window|
|The password is cached by the webbrowser||Can be reused by any other request to the server, e.g. CSRF|
|The password may be stored permanently in the browser||CSRF and it might be stolen by another user on a shared machine|
We have protected a directory with HTTP Basic Authentication, now every time we attempt to access that directory, tipically from a browser, it will ask for username/password credentials.
- RFC 7617 ‘Basic’ HTTP Authentication Scheme https://tools.ietf.org/html/rfc7617
- Information Security Answer: Is BASIC-Auth secure if done over HTTPS? by AviD♦