.htaccess password protection

If you ever wanted a specific directory in your website to be protected with a password, htaccess is the correct solution!

There are various methods to password protecting directories and files of your website, some server language based such as ASP, PHP, PERL and client side based, such as JavaScript. JavaScript is not as secure or foolproof as a server-side option, a server side challenge/response is always more secure than a client dependent challenge/response. htaccess is about as secure as you can or need to get in everyday life, though there are ways above and beyond even that of htaccess.

The first thing you will need to do is create a file called .htpasswd. I know, you might have problems with the naming convention, but it is the same idea behind naming the .htaccess file itself, and you should be able to do that by this point. In the htpasswd file, you place the username and password (which is encrypted) for those whom you want to have access.

For example, a username and password of admin (I recommend having the username different from the password), the htpasswd file would look like this:

admin:x3E5Vc8e3EYV

Notice that it is UserName first, followed by the Password. Here you can find some tool available for you to easily encrypt the password into the proper encoding for use in the httpasswd file.

For security, you should not upload the htpasswd file to a directory that is web accessible (yoursite.com/.htpasswd), it should be placed above your www root directory. You’ll be specifying the location to it later on, so be sure you know where you put it. Also, this file, as with htaccess, should be uploaded as ASCII (text format) and not BINARY.

Create a new htaccess file and place the following code in it:

AuthUserFile /usr/local/you/safedir/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user admin

The first line is the full server path to your htpasswd file. If you have installed scripts on your server, you should be familiar with this. Please note that this is not a URL, this is a server path. Also note that if you place this htaccess file in your root directory, it will password protect your entire site, which probably isn’t what you want.

The second to last line require user is where you enter the username of those who you want to have access to that part of your site. Note that using this will allow only that specific user to be able to access that directory. This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user admin with require valid-user. Note that "admin" is a generic user name, you can change this as you desire.

The AuthName is the name of the area you want to access. It could anything, such as “EnterPassword”. You can change the name of this ‘realm’ to whatever you want, within reason.The AuthType Basic is used because the basic HTTP authentication is used.

Leave a Reply