Password Protecting Directories with PERL

BumbleBeeWare.com has become extremly popular primarily because of the captcha for perl script. Since we are one of the few sites with an understandable captcha solution and it's a free one at that, more and more webmasters are turning to this site as a resource for perl scripts. Therefore we are developing some more advanced scripts that are ready to use.

This ready to go simple perl script is a password management system. Although I have offered a simple password script to show how to add passwords, many people have asked for a complete program to add, remove and manage passwords for multiple directories.

This program will manage any number of password files for extensive sites with many sensitive areas. All the password files will be in in a data directory and will be updated by the program. Each coresponding directory must have a .htaccess file in it with the path to the password file for that directory.

This program offers very little error checking since it is for administration. But it is, like the other programs here, it is a great starting point to build on. It will do everything you need to manage users manually. It allows you to add users, remove users, lookup passwords and list all users in each file.

Download the Password Management Script

The Configuration

To configure the program you only need to adjust 2 things. The names of the password files and the path to the data directory where the files will be stored. The data directory must be web writeable or chmod 0777.

# main data director to store password files in
$datadir = "
/var/www/website/data";

# list of password files
@securepassfiles = ("
admin","secure");

The pass files should be user friendly names like admin or secure or members. Those will be the names you will use when constructing the .htaccess files, we will add the extension .pass on the password file and .data on the data file which contains the actual passwords.

The .htaccess file is a standard file pointing to the password file in the data directory. Just use a text editor and create a file called .htaccess with the following text.


AuthName "Authorized Users Only"
AuthType Basic
AuthUserFile path_to_passfile

require valid-user


Just replace the path_to_passfile with the actual path to the file in the data directory that coresponds with the directory you are password protecting.

If the path to your data directory is /var/www/website/data and you want to use the file name "secure" then the full path would be /var/www/website/data/secure.pass

Save the file in the directory you want to password protect allowing access to all the people listed in the secure.pass file.

Upload the pwdmanage.cgi in text format to your cgi-bin or any directory that allows you to run perl scripts. You will want to password protect the directory that the script is in so other people can't make their own passwords. If you can only run scripts in the cgi-bin, then make a sub directory like /cgi-bin/passwords and then password protect only the password directory so you don't password protect the entire cgi-bin.

Make the script executable or chmod 0777.

Then just use it to create the passwords for your directories. For each new password file add to the @securepassfiles = ("admin","secure");. The new names will now appear in your main page and the files will be created automatically.

Developer Notes - This program is not written in the most efficient manner but rather the most workable format. With each function such as adding users a separate subroutine, you can easily modify the html and form fields for each action. The program is not going to have heavy use, so there is no need to streamline the code like you would with general access. The important part is making the program the most useful and the least complicated.

The .data files can of course contain much more data such as name, address, phone, address and so on. The sub that accesses the passwords can be expanded to show the additional data so the program is more functional.

In a secure situation, you would not keep the actual passwords. But for most applications it is fine. Since the file can be kept in a non web readable directory, the only other people with access are other websites sharing your server. In the case of shared hosting if you are concerned about security, then don't use the password data file. Anyone sharing your server can easily access any of your files. If you only use the .pass file, all passwords are encrypted and cannot be read. So use the files accordingly.

This is a great quick and dirty little script that you could use as the starting point for a full scale membership system with automated payments and expirations.

If you already understand .htaccess files, this script will be very useful. If you don't, then do some additional research and find out what .htaccess files are and how they work before trying to use this script.