Search the Site

Sponsors

bottom corner

Using .htaccess file to control web directory access

The .htaccess file (ht.acl in Windows) is a great with everything from redirection to preventing bandwidth theft. Here we look at how we can use it to implement password protection for a directory.

This page is filed under keyword(s): apache.

Naturally, if the .htaccess (ht.acl in Windows) does not already exist in the directory we wish to protect, we must create it first. It is a plain text file, so you may use any text editor to create/modify this file, such as pico, emacs, Notepad, or TextEdit.

Our first step is to add these lines below to the .htaccess file.

AuthName "This is a restricted area, please log in first."
AuthType Basic
AuthUserFile /directory/path/passwdfile

AuthName is the text that will appear in the browser pop-up when the user is challenged. AuthType value of "Basic" means we are using basic HTTP authentication. AuthUserFile is the path and file name of our password file; more on that later.

Also in the .htaccess file, we add a list of user names we wish to allow to access the web directory we are locking down. For example:

require user jdoe
require user spannu

We are now done with the .htaccess file. Now we just have to create the password file. In the Apache bin, there is an executable called "htpasswd". The first example below is used to create a new password file with the user "jdoe"; note that when using the -c parameter to create a new file, we will overwrite any password file that exists in the same directory, so be careful. To add a new user to an existing file, we should run the second example, the difference being the lack of the -c parameter.

htpasswd -c -b /directory/path/passwdfile jdoe secUr3Pwd

htpasswd -b /directory/path/passwdfile spannu an0therPwd

The -b parameter allows us to type in the password in the command line, which is helpful when you are setting up a script that creates a large number of users at once. If having the password in the command line cache is a concern, just remove the -b parameter, and we will be prompted to enter a password for each user.

We should now be all set. The next web visitor that reaches the directory where the .htaccess file resides should be challenged with a password prompt.

To remove a user from a certain password file:

htpasswd -D /directory/path/passwdfile jdoe

For our reference, below is the help text for the htpasswd command.

Usage:
        htpasswd [-cmdpsD] passwordfile username
        htpasswd -b[cmdpsD] passwordfile username password

        htpasswd -n[mdps] username
        htpasswd -nb[mdps] username password
 -c  Create a new file.
 -n  Don't update file; display results on stdout.
 -m  Force MD5 encryption of the password (default).
 -d  Force CRYPT encryption of the password.
 -p  Do not encrypt the password (plaintext).
 -s  Force SHA encryption of the password.
 -b  Use the password from the command line rather than prompting for it.
 -D  Delete the specified user.
On Windows, NetWare and TPF systems the '-m' flag is used by default.
On all other systems, the '-p' flag will probably not work.

Did you find this page useful? Please consider browsing other articles or subscribing to the RSS feed to keep up with latest.

This page is filed under keyword(s): apache.
Author: C. Peter Chen
Last updated: 24 Mar 2008

bottom corner