ClientWorX Business Solutions Home
Fri Dec 2 2022

Many web sites use password protection to restrict access from parts of their web site. Maybe you have a members area or just a private area of your web site that you want to keep people out of. I have seen lots of people try to use a javascript application to keep people out but most of these type of attempts fail miserably. One way to setup a secure area is to use the htaccess file in the Apache web server to lock down a directory.

Access to the directory is then protected by the OS which will prompt the user for a username and password. Each attempt to access a file in the directory will require that the web browser supply the correct credentials before the web server provides the web page or file to the user. The browser will remember the user credentials for each access to the web server.

There are many different ways to provide password protection including the use of a mySQL database and PHP or session access provided with cookies PERL or another programming language. But for now we will use the htaccess file to secure a directory on the web server. Keep in mind that we are protecting an entire directory and not just files on the web server.

Our secure directory access will be provided by two files which you will need to upload to the directory you want to have password protected. The first file is the .htaccess file which will direct the OS to prompt for the username and password and the second file .htpasswd will hold the usernames and passwords for access to the directory.

We will start with the .htaccess file. Here is what the typical file will look like. You will create your .htaccess file using a text editor.

AuthUserFile /home/public_html/members_directory/secure/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure - Members Area"
AuthType Basic
require valid-user	

<Files .ht*>
order allow,deny
deny from all
ErrorDocument 401 /members_directory/SendPassword.htm

Now lets take a closer look at this file and explain what is happening with each line or part of the file.

AuthUserFile This is the full path and file name of the file that will hold our usernames and passwords. Notice that this is the web server path to the file and that our password file name starts with a "." not htpasswd but .htpasswd for the name in our example.
AuthGroupFile Because we are not using a group file to set our access rights we will just set this to /dev/null. If we wanted to use a group file for access then we would use the full path just like the AuthUserFile.
AuthName This will be displayed in the browsers authentication window and tells the user the name you gave your secure area.
AuthType "Basic" is the type of authentication we are performing with the browser.
require valid-user Here we tell the web server that the user must be a valid user to access this directory.

As you can see we still have a couple more lines in our .htaccess file. These two parts that are left are for both security and also in the case of a user not being able to supply the username and password. We could give them a default page that tells them that they are not authorized to view this area but in most cases you want to direct them to a page that blends into the rest of your web site and also can give them directions on how retrieve the password or gain access to this password protected area of your web site.

<Files .ht*> The "Files" directive deals directly with our password and access files. We are setting restrictions on these files so that the user could not view these sensitive files which contain our passwords and usernames. We are using the .ht* to match any file starting with .ht, in our case our files will be named .htaccess and .htpasswd and our users can not view these files even after they provide a valid username and password.
order allow,deny Here we are setting the default access state and the order in which we evaluate the allow or deny. The Allow directives are evaluated before the Deny directives. Access is denied by default with this setting.
deny from all Controls which hosts have access. In our case we are denying everyone access to our files.
</Files> This is the closing tag for the "Files" directive.
ErrorDocument 401 Here we handle the 401 error which is the error returned to the browser when the user does not provide the correct username or password.

As you can see we now have completed the first part of our .htaccess protection for our Apache web server directory. It is important to remember that both files will need to be uploaded to the web server using ASCII mode not Binary!

Ok so lets get started on the username and password part of our project. for this we will also be creating our password file using a text editor. keep in mind that many different scripts or applications can help automate this process. For example you may write a PERL script which adds, modifies or deletes users and passwords. We can save this project for another day. Today we will create the file by hand.

The .htpasswd file consists of usernames and encrypted passwords stored in a simple text file with one username and password separated by a colon ":" per line. A typical file will look like this.

john doe:CLkGftLTU2wJ2
Mary Smith:TeImsFMX0svNY

Both the username and password are case sensitive so john and John are different usernames.

Here is a simple application to create the username and password line for the password file. Just fill in the username and password pair that you want to create and we will show you the line you need to include in the .htpasswd file.


Remember that both files will need to be uploaded to the web server using ASCII mode not Binary! You will place both files in the directory which you want to password protect.

Troubleshooting htaccess is really not all that difficult. The main reason authentication fails is due to the path to the password file not being correct or the user has uploaded the files in binary mode not ASCII mode.