[K12OSN] password protect web dirs with htaccess?

Shabbir R Hassanally shabbirh at raha.com
Sat Jan 22 10:29:00 UTC 2005


You might find this information useful:


Although there are many uses of the .htaccess file, by
far the most popular, and probably most useful, is
being able to relaibly password protect directories on
websites. Although JavaScript etc. can also be used to
do this, only .htaccess has total security (as someone
must know the password to get into the directory,
there are no 'back doors')

The .htaccess File

Adding password protection to a directory using
.htaccess takes two stages. The first part is to add
the appropriate lines to your .htaccess file in the
directory you would like to protect. Everything below
this directory will be password protected:

AuthName "Section Name"
AuthType Basic
AuthUserFile /full/path/to/.htpasswd
Require valid-user

There are a few parts of this which you will need to
change for your site. You should replace "Section
Name" with the name of the part of the site you are
protecting e.g. "Members Area".

The /full/parth/to/.htpasswd should be changed to
reflect the full server path to the .htpasswd file
(more on this later). If you do not know what the full
path to your webspace is, contact your system
administrator for details.

The .htpasswd File

Password protecting a directory takes a little more
work than any of the other .htaccess functions because
you must also create a file to contain the usernames
and passwords which are allowed to access the site.
These should be placed in a file which (by default)
should be called .htpasswd. Like the .htaccess file,
this is a file with no name and an 8 letter extension.
This can be placed anywhere within you website (as the
passwords are encrypted) but it is advisable to store
it outside the web root so that it is impossible to
access it from the web.

Entering Usernames And Passwords

Once you have created your .htpasswd file (you can do
this in a standard text editor) you must enter the
usernames and passwords to access the site. They
should be entered as follows:


where the password is the encrypted format of the
password. To encrypt the password you will either need
to use one of the premade scripts available on the web
or write your own. There is a good username/password
service at the KxS site which will allow you to enter
the user name and password and will output it in the
correct format.

For multiple users, just add extra lines to your
.htpasswd file in the same format as the first. There
are even scripts available for free which will manage
the .htpasswd file and will allow automatic
adding/removing of users etc.

Accessing The Site

When you try to access a site which has been protected
by .htaccess your browser will pop up a standard
username/password dialog box. If you don't like this,
there are certain scripts available which allow you to
embed a username/password box in a website to do the
authentication. You can also send the username and
password (unencrypted) in the URL as follows:



.htaccess is one of the most useful files a webmaster
can use. There are a wide variety of different uses
for it which can save time and increase security on
your website.

The procudure should be pretty much the same - for
your remote servers and for your intranet based
servers - essentially under Apache, securing a
directory is pretty much the same.

The link below, will help you generate your .htpasswd
file correctly:


>From what I can see, you seem to have everything in
place as it should be, however, you might want to
check your httpd.conf (Apache Configuration) file to
be sure that the settings are as described in the
article I've pasted.

This link (from Yahoo Search - because Google is
EVIL!! - see http://www.google-watch.org/) has a
number of resources that you might find useful:


Let me know how you get on :)

Warm Regards


--- debbie at redeemer.qld.edu.au wrote:

> Hi All,
> I want to password protect some directories in
> /var/www/html/ for staff only.
> I've used .htaccess & .htpasswd files in the past
> using far-away host machines
> and FTP but never on my own linux box on an
> intranet. And it's not working,
> i.e. no pop up asking for a password, I can access
> the 'secure' directory.
> I have the .htaccess file in
> /var/www/html/staffonly/ and the .htpasswd file in
> /var/www/... is there something else I should know
> about the php.ini or other
> apache setting to make this all work?
> Thanks,
> Debbie
> (Back to school on Monday!!)
> --
> http://www.redeemer.qld.edu.au/
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>


More information about the K12OSN mailing list