Author image Evan S Kaufman


Web::Passwd - Web-based htpasswd Management


Version 0.03


Web::Passwd is a web-based utility for managing Apache htpasswd files. It uses the CGI::Application framework, so functionality is encapsulated in the module and very little code is required to create an instance:

    use Web::Passwd;
    my $webapp = Web::Passwd->new();

That's it. Drop that script in a web-accessible cgi directory and give it execute permissions, and (assuming a default config file is found), you're good to go. If you'd rather explicity define a configuration file to use, you can pass it through an extra parameter:

    my $webapp = Web::Passwd->new( PARAMS => { config => '/home/evan/custom_webpasswd.conf' } );


If not explicitly provided, a configuration file will be searched for in the following locations (in order). If a valid configuration file is not found, the script will die with errors.

  ./webpasswd.conf    (the current directory)
  ../webpasswd.conf   (the parent directory)

The configuration file can be used to specify a directory of templates in the HTML::Template format. If no templates are found, default templates are used (see the /example/templates directory of the distribution).

  tmpl_path = /var/www/cgi-bin/webpasswd/

The htpasswd command can also be specified. If no htpasswd command is provided, the default is used. Note that, on some systems, you must specify the absolute path to the htpasswd binary.

  htpasswd_command = htpasswd

The configuration file can specify whether to use the GET (data encoded into the URL) or POST (data encoded into the message body) form request method. Defaults to using the generally more secure POST.

  form_method = POST

The configuration file should also contain a section for each htpasswd file it will be used to maintain, using the following format:

  [Descriptive Name]
  path = /system/path/to/passwdfile
  algorithm = {crypt|md5|sha|plain}

TECHNICAL NOTE: The default algorithm Apache uses is crypt under Linux, and MD5 under Windows.

PITFALL: Enclosing values in quotes within the config file does not have the expected effect! It simply includes the literal quote characters in the config value.


It is *imperitive* that the Web::Passwd instance script itself be htpasswd protected, as it includes no access control mechanism.

Understand that putting the ability to manage htpasswd files via a web-based utility carries an inherent security risk, in that anyone who gains access to the utility is potentially given access to any of the managed htpasswd-protected resources.

Any htpasswd files to be managed with this utility MUST be owned by whatever user apache runs as. Usually, this is 'apache' or 'nobody'.


This was written expressly for Apache webserver 1.3 or higher running under Linux. However, there is nothing as far as I am aware that would prevent execution on a higher version of Apache, or on Apache under Windows.


A Perl version of 5.6.1 or higher is recommended, and the following modules are required:



Evan Kaufman, <evank at>


You can find documentation for this module with the perldoc command.

    perldoc Web::Passwd


Written for BCD Music Group.


Copyright 2007 Evan Kaufman, all rights reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.