Another option is to not deal with the htpasswd file and store and test user credentials within your program. For example:
use CGI;
my $request = CGI->new;
if( $ENV{'REMOTE_USER'} eq "sutch" && $ENV{'REMOTE_PASSWD' } eq "myb4d
+" ) {
# user is authenticated
print $request->header;
# return restricted web page here
} else {
print $request->header( '-status' => '401 Authentication required',
+'-auth-type' => 'Basic', '-WWW-Authenticate' => 'Basic realm="My Rest
+ricted Area"' );
# return failed authentication message here
}
This will provide the user with the familiar username/password dialog box that is displayed when using htaccess. Instead of Apache handling the authentication though, the script tests the REMOTE_USER and REMOTE_PASSWD environment variables to authenticate the user.
A benefit of handling the authentication yourself is that you can also expire authenticated sessions and allow users to logout. This can be done by returning a 401 status with different realm text.