Adding a user to an IISPassword protected folder via scripting

A lot of Windows/Helm webhosts now have IISPassword installed on their servers to enable password protection of folders. This works in a similar way to htaccess on Apache.

Normally, the only way to add a user to a secured folder is to do it via the Helm control panel but, as I have clients who I don't give Helm access to, I needed to find a way for them to do this via scripting.

Hopefully, I could post a username and password from a form to the script which would then:

  • Add the user to the .htaccess file (or the .htgroups file)
  • Encrypt the password
  • Create the username:ecrypted password pair
  • Add the username:ecrypted password pair to the .htpasswd file.

The problem was finding a way of encrypting the password so that IISPassword would accept it!

After testing different encryption methods, I found that using the PHP function crypt() with a two character random salt worked.

This meant that I'd have to use PHP rather than my usual ASP to write the script!

The form

All that's required is a simple html form, with the method "post" and the action "adduser.php" (the form being posted to the adduser.php script page) and containing two text fields named user (for the new user's username) and pass (for the new user's password).

The script

The first step is to grab the posted user and pass form fields and write the encryption routine:

<?php
$user = $_POST[user];
$pass = $_POST[pass];

// Genetate the 2 character random salt
mt_srand((double)microtime()*1000000);
$chars = array_merge(range('a','z'),range('A','Z'),range(0,9));
for($i=0;$i<2;$i++)
{
$salt .= $chars[mt_rand(0,count($chars)-1)];
}

// Encrypt the password
$crypt_pass = crypt(trim($pass), $salt);

// Construct the username:password pair
$htpasswd_text = trim($user).":".$crypt_pass;
?>

Then add the new username:password pair to the .htpasswd file which is located in the 'secure' folder above the webspace.

<?php
// Append the .htpasswd file with the new username:password pair
$myFile = "../../secure/.htpasswd";
$fh = fopen($myFile, 'a') or die("can't open .htpasswd file");
$stringData = "\n".$htpasswd_text;
fwrite($fh, $stringData);
fclose($fh);
?>

The next step depends on whether you want to add users to the .htaccess file in your secured folder or you use a group and want to add users to the group in the .htgroups file (located in the 'secure' folder above your webspace).

If you choose the .htaccess method, the 'Require user' list must be the last text in the .htaccess file and there must already be at least one user listed.

<?php
// If you add individual users to the .htaccess file do this:
// Append the .htaccess file with the new user
$myFile = "../secured_folder/.htaccess";
$fh = fopen($myFile, 'a') or die("can't open .htaccess file");
$stringData = " ".trim($user);
fwrite($fh, $stringData);
fclose($fh);
?>

If you choose the .htgroups method, the group you are adding users to must be the last group listed in the .htgroups file, there must already be at least one user listed in the group and the group must already be listed after 'Require group' in the .htaccess file.

<?php
// If use a group in your .htaccess file and add individual users to the .htgroups file do this:
// Append the .htgroups file with the new user
$myFile = "../../secure/.htgroups";
$fh = fopen($myFile, 'a') or die("can't open .htgroups file");
$stringData = " ".trim($user);
fwrite($fh, $stringData);
fclose($fh);
?>

Finally, check that the relative paths to the .htpasswd .htaccess and .htgroups files are correct in the scripts, save the whole script file as adduser.php and test it!