Self-Registering Password Protection, Part 1
By Randal L. Schwartz
For the most part, the Web is about sharing—sharing what you have with as many people as possible, all comers accepted. But sometimes you have stuff that you want to share with a smaller community of people. If I were faced with this task, I might say, "no problem." My Apache Web server can use basic authentication, compatible with all the popular browsers, that lets me restrict access to those who know the username and the password.
Well, "yes problem," I must then say. I can give all members of my group the same username and password, but when a member leaves, I have to update all the remaining members with a new password. OK, then, the alternative is to give each user his or her own password. Ugh. I have a tough enough time coming up with interesting unguessable memorable passwords for my own access areas, and now I have to come up with 10 or 100 others?
Blech.
Well, then, let's let the users pick their own usernames and passwords. After all, it works for most of the sites out there. But how does it work for those sites? Let's take a look.
First, although I'm using the basic authentication protocol—the kind that displays the little box in the browser looking for a username and password—I won't be using the traditional htpasswd files on the server side. I'm going to invent my own database that relates four items: (1) an email address, (2) a set of "keys" that the user owns, (3) the basic-auth username, and (4) the encrypted basic-auth password.
