Apache's .htpasswd files consist of user/password pairs, one pair per line, eg:
module provides the methods you will need to manage user accounts within .htpasswd (or other password files with the same format)- add and remove users, set & reset passwords. The module provides only an object orientated interface. For a more complete user management solution you may want to look at
but for customised user management and integration with your site Apache::Htpasswd is a great tool.
Here is a sample CGI script to allow a user to change their own password. It requires the user to know their own password first. This script should be run from within a .htaccess protected directory! It uses the $ENV{REMOTE_USER} variable which can be manipulated by an "attacker" however they would still then need to know the existing password for any user they specify.
#!/usr/bin/perl -wT
#
#
BEGIN {
# make the environment safe
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
$ENV{PATH} = "";
}
use strict;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use Apache::Htpasswd;
my $cgi = new CGI;
$|++;
my %settings = (title => "htpasswd change page",
dir => "/home/user/public_html/cgi-bin",
htpasswd => ".htpasswd",
fields => [ "old_passwd", "new_passwd", "new_passwd2
+" ],
);
$settings{user} = $ENV{REMOTE_USER};
my $htpasswd = new Apache::Htpasswd("$settings{dir}/$settings{htpasswd
+}");
print_page_headers($settings{title});
process_form();
print_form();
exit;
sub process_form {
return unless ( $cgi->param('change') );
my %data;
for my $field ($cgi->param()){
if ( scalar grep /^\Q$field\E$/, @{$settings{fields}} ){
# its a field we know about
my $tmp = substr($cgi->param($field), 0, 50);
$tmp = lc($tmp) if ( $field eq "change_user_name" );
$data{$field} = $tmp || '';
}
}
if ( !$data{old_passwd} or !$data{new_passwd} or !$data{new_passwd2}
+ ){
print $cgi->p("You must fill out all fields!");
return;
}
if ( ! $htpasswd->htCheckPassword($settings{user}, $data{old_passwd}
+) ){
print $cgi->p("Old password incorrect or invalid user name");
return;
}
if ( $data{new_passwd} eq $data{old_passwd} ){
print $cgi->p("New password must be different to old password!");
return;
}
if ( $data{new_passwd} ne $data{new_passwd2} ){
print $cgi->p("New passwords don't match!");
return;
}
if ( $data{new_passwd} !~ /^\S{6,8}$/ or $data{new_passwd} !~ /[^a-z
+A-Z]+/ ){
print $cgi->p("New password must be 6-8 chars and contain at least
+ one number or punctuation character");
return;
}
$htpasswd->htpasswd($settings{user}, $data{new_passwd}, $data{old_pa
+sswd});
if ( my $error = $htpasswd->error() ){
print $cgi->p("There was en error: [$error]");
}
else {
print $cgi->p("Password for $settings{user} was succesfully change
+d");
}
}
sub print_page_headers {
my $title = shift || "Page without a title";
print $cgi->header();
print $cgi->start_html($title);
print $cgi->h2($title);
print $cgi->hr();
return;
}
sub print_form {
for (@{$settings{fields}} ){
$cgi->delete($_);
}
print $cgi->start_form();
print $cgi->b("Password Change for $settings{user}");
print $cgi->table({-border=>0},
$cgi->Tr(
$cgi->td("Enter your ", $cgi->strong("old"), " password"),
$cgi->td($cgi->password_field( -name => 'old_passwd',
-value => '',
-size => 10,
-maxlength => 8))),
$cgi->Tr($cgi->td("Enter your ", $cgi->strong("new"), " password"),
$cgi->td($cgi->password_field( -name => 'new_passwd',
-value => '',
-size => 10,
-maxlength => 10))),
$cgi->Tr($cgi->td("Re-Enter your new password"),
$cgi->td($cgi->password_field( -name => 'new_passwd2',
-value => '',
-size => 10,
-maxlength => 10)),
$cgi->td($cgi->submit( -name => 'change',
-value => 'Change Password'))),
);
print $cgi->end_form(), $cgi->hr();
print $cgi->end_html();
print "\n";
}
To prohibit downloading of your .htpasswd & associated files your .htaccess should look something like this:
AuthType Basic
AuthName "Authorisation Required"
AuthUserFile /path/to/.htpasswd
<files ~ "^\.ht">
Order allow,deny
Deny from all
</files>
<Limit GET POST>
require user username
</Limit>
