Posted on : 24-Jan-2010 | By : jontroth | In : .htaccess file, Tricks & Treats
Sometimes you may need to password protect specific folders and files in your website without creating an entire user system or making a complicate setup and there are several ways of doing this.
You can create a simple html username/password form that posts to a server side script using PHP, PERL or ASP to set a valid user session. There is also the option of using client side JavaScript, though I would never recommend this as it’s not a secure or fool proof approach.
If your a novice to the .htaccess file the make sure you have read “The Great World of the .htaccess File” before continuing this article.
You’ll need to create an .htpasswd file to store your username/password list. We can create the the same way as the .htaccess file in a simple text editor, making sure you save and upload it as an ASCII file (not as a BINARY file).
You can create a password a few different ways; using a control panel link cPanel or Plesk, using a third party tool or creating it directly on the server via a Unix command line.
The content of the htpasswd file is simple.
A username, a colon, and the encrypted password.
For multiple usernames add each one on a new line.
websiteUsernameTwo:Yt5etRy74R3e4
websiteUsernameThree:S5Fg47Ui89Jd
Create an htaccess file, if you haven’t already, and enter the following:
AuthGroupFile /null
AuthName “Password Protected Directory”
AuthType Basic
Require user websiteUsernameOne
AuthUserFile
This directive provides the root path to the .htpasswd file.
Security Note: always make sure that the .htpasswd file is stored outside the www document tree. Never put it in the directory that it protects. Otherwise, users will be able to download the file.
AuthGroupFile
This directive is useful if you want to specify groups to specific directories. If you don’t want to use groups then just leave it as “/null” otherwise enter the path to your AuthGroupFile such as “AuthUserFile /usr/local/username/secure/htgroups” and the Require directive would reference the specific group(s) like “Require group administrators”. I’ll explain how to setup groups later in this article.
Security Note: always make sure that the AuthGroupFile is stored outside the www/public_html document tree. Never put it in the directory that it protects. Otherwise, users will be able to download the file.
AuthName
This directive simply provides a string that will appear in the password dialog shown by most browsers. Example: “Top Secret”, “Protected Directory”, “Authorized Users Only”, etc.
AuthType
This directive selects the type of user authentication for a directory. Only Basic and Digest are currently available. AuthType has to be followed by the AuthName and the Require directives, and must also have AuthUserFile and AuthGroupFile to work correctly.
If your protecting confidential files or top secret information then don’t use basic authentication. Even though the password is stored in an encrypted format on the server, it is sent across the network from the client to the server in a plain text format. If anyone was packet sniffing your server traffic they could easily read the username and password every time protected directory was accessed. Though if you are accessing the protected directory using an SSL connection then everything is going to be encrypted.
Unlike basic authentication, digest authentication always sends the password from the client browser to the server as an MD5 encryted string making it impossible for a packet sniffer to see the raw password.
To use the Digest authentication type you will need to create and use an .htdigest file instead of an .htpasswd file. Also instead of AuthUserFile you would use AuthDigestFile, and instead of AuthGroupFile you would use AuthDigestGroupFile.
AuthType Digest
AuthName “Password Protected Directory”
AuthDigestFile /usr/local/username/secure/.htdigest
AuthDigestGroupFile /usr/local/username/secure/digest.groups
Require group administration
Creating your .htpasswd password
If you are using a website control panel like cPanel you can create a “Protected Directory” using their simple interface. Here is a video how to setup a protected directory using cPanel (http://www.cpanel.net/media/tutorials/passwdprotect_lo.htm).
If you have SSH root access to your server you can also create your .htpasswd or .htdiget file, username and password via a command line.
htpasswd -c /usr/local/username/secure/.htpasswd username
htdigest -c /usr/local/username/secure/.htdigest username
If you are just adding you .htpasswd file manually and you just need to create an encrypted password you can simply use a third party web tool to create the password and then add it to your .htpasswd file so it is formatted like this:
You can use the “htpassword generation tool” to create your passwords.
Thanks Jon – a really nice clear how to.
Pulled me out of a fix
How you find ideas for articles, I am always lack of new ideas for articles. Some tips would be great
One of my friends already told me about this place and I do not regret that I found this article.
It is also easy to backup and transfer all your websites from one server to another server if you have cPanel installed’**
Medicamentspot.com International Legal RX Medications. Special Internet Prices (up to 40% off average US price). NO PRIOR PRESCRIPTION REQUIRED!…
Combivir@buy.online” rel=”nofollow”>.…
A few very important pieces of information presented in a clear way. Thanks a lot!