Welcome to WebmasterWorld Guest from

Forum Moderators: brotherhood of lan & mack

Message Too Old, No Replies

Apache AuthBasic Letting more than 1 user in



6:09 am on Jan 6, 2009 (gmt 0)

10+ Year Member

HI -I just reread [httpd.apache.org...]
apache Authenticaion, Authorization, and Access.

When one uses Auth Basic it says -
"The directives above only let one person (specifically someone with a username of rbowen) into the directory. In most cases, you'll want to let more than one person in. This is where the AuthGroupFile comes in."

1. I understand that the directory is protected with a userid of rbowen, and a password, and that if one does not set up a group file then only that userid and password can log in.

It does not say if this userid/password can be used at the same time, by multiple people to login to the directory during the same time period? (That is, the directory is protected - and everyone is using the same userid/password & people don't have individual logins.) Is this true?

OR, another possibility - if person A is logged in with rbowen, then no-one else can login with rbowen until the Person A logs out?

Which one is true?




8:58 pm on Jan 6, 2009 (gmt 0)

5+ Year Member

The credentials are sent with every http request, so there isn't really a "log in" involved. Multiple users can use the same log-in credentials at the same time.



10:09 pm on Jan 7, 2009 (gmt 0)

10+ Year Member

Reply, thank you for the answer.

If I go forward, as stated in the Apache documentaion and set up a group file ---

1. for 300 persons that I want to give the following ability to: click on emailed URLs so that they can view documents residing in the directory that I have protected with my .htaccess file.

2. I would set it up (I have to go back and look at the Apache auth doc) - but I think it would be with a userid / passwd, idividually for all the people, rather then all of them using the rbowen login credential.

3. Can I assume based on how you mentioned 'login credential' that each person becomes 'authorized' via being able to enter their userid and passwd - to view the file, copy it off, print it (whatever).

3. However, since these people never went through an 'authentication' procedure, such as a 'login' to the unix side, they are not 'unique'.
That is, even with a group file containing credentials for 300 persons; there can still be 2 Deb's authorized at the same time to view the file. (Just like there could have been multiple 'rbowen's viewing the file.

thanx again.


If one set up a group file for let's say 300 potential users - these users don't reside in the unix passwd file - because they don't intereact with the machine in that fashion. I want to


10:13 pm on Jan 7, 2009 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Is there a reason you don't want to use a cookie based auth system?

[edited by: Demaestro at 10:14 pm (utc) on Jan. 7, 2009]


10:45 pm on Jan 7, 2009 (gmt 0)

10+ Year Member

From my days as a unix admin, I 'think' ;-) I have some 'clue' about controlling a directory. I don't have as much html programming, web development experience. I currently have no idea how to program a cookie into a web page. I sort of go in the direction I have some inkling about. Is a cookie something I program in - or is it something I ask Apache to implement for a web page? Are cookies used for basic html/css type pages - no sql - no php, etc.

ARe you saying something like - Deb tries to view the file - gets auhorized via apache - then I get a cookie - therefore I can become a unique Deb?

Did that make sense?


3:27 am on Jan 8, 2009 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member


A cookie based system would require some coding outside of Apache with some server side scripting like PHP or Python.

There is nothing wrong with a basic auth system, it is just when you have several users it is easier to manage and track all the activity of a logged in user if you use cookies.

Basically it would go like this....

Deb goes to an HTML login page, after a correct login your login method would set a cookie with a unique username. Then Deb requests a file from a private directory only accessible by a PHP/Python method. That method checks for the cookie and verifies the cookie, then fetches the file. So Deb would never get actually get access to that directory, but a method with access to that directory can serve the files.


Featured Threads

Hot Threads This Week

Hot Threads This Month