.htaccess password protection: Securing a folder in a website

**gcawood** · 11-10-2011, 04:02 PM

If you have any sort of sensitive documentation or private web application that you want to secure behind a username and password field, then .htaccess is a simple and easy way to start. .htaccess is a server side challenge/response security mechanism that is built directly into the web server. It is therefore, more secure than a scripted approach to security that is embedded into any application.

To use .htaccess, you will need to have access to a web accessible directory. In that directory, you will need to place the following file.

.htaccess

Making a .htaccess file
The .htaccess file should be placed inside of the directory that you want to secure. The file should contain the following code.

Code:

AuthUserFile /home/username/secrets/.htpasswd
AuthGroupFile /dev/null
AuthName "You Shall Not Pass!!"
AuthType Basic

require user username

The first line "AuthUserFile" is the full server path to your htpasswd file. You will need to edit this line so that it references the correct location of the .htpasswd file. Please note that this is not a URL, this is a server path, and in a Linux file system, will start with a /. You should also not put your .htpasswd file in a web accessible directory!!

Edit the line that starts with "require user" so that you enter the username of those who you want to give access to.

This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user.

The AuthName is the name of the area you want to access. It could say anything, such as "You Shall Not Pass!!". Feel free to change this to whatever you want.

We are using AuthType Basic because we are using basic HTTP authentication.

Generating a password file

There are a bunch of different ways to generate a .htaccess files. However, as this is a Linux Forum, we will show the CLI way of doing it. If you don't have command line access, just google "generate .htpasswd file" and you will be set.

USAGE: Command -c PATH UserName

Code:

htpasswd -c /home/username/secrets/.htpasswd Obama

**MustangV10** · 11-11-2011, 02:30 PM

I've used .htaccess before, quite a handy feature in my opinion, I could never make use of it once before since I had a Dynamic IP, have a static now so I can.

**ashishagarwal** · 05-03-2013, 08:19 AM

Why not in a Static IP

means why didnt you use .htaccess in a static IP?

Thread: .htaccess password protection: Securing a folder in a website

Thread Tools

Display