Jesin's Blog

Welcome to the Portal of Technology

  • Facebook
  • GitHub
  • Google+
  • RSS
  • Twitter
  • Home
  • Categories
    • Domains
    • Linux
    • Networking
    • PHP
    • Virtualization
    • Web Design
    • Web Servers
    • Windows
  • WordPress Plugins
    • Custom Error Pages
    • HTTP Digest Authentication
    • Mailgun Email Validator
  • Toolbox
    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool
  • About Me
  • Contact Me
  • Sitemap
Home ›
Web Servers ›
Password Protect directories using .htpasswd

Password Protect directories using .htpasswd

September 12, 2010 Web Servers Jesin A 2 Comments

htpasswd authname

Anything uploaded to the document root (www, htdocs, public_html folder) of your web server is visible to the public that is why its always recommended to store confidential information outside the document root. But if you want that information to be accessed by selected people then you need to put it in a directory inside the document root and password protect it. Even thought server side languages like PHP and ASP can be used to handle authentication it can be cumbersome. So the htaccess and htpasswd can be used to simplify the whole process and make your life easier. Lets go step-by-step

Step 1:- Create a .htpasswd file

The .htpasswd file contains a list of user names and passwords for authentication. It is recommended to create this file outside the document root folder (www or htdocs or public_html folder). So lets assume my document r0ot is /home/username/public_html then the .htpasswd file should be placed inside /home/username folder. Make sure there is a dot at the beginning of the file name. Use the .htpasswd generator tool to create a username and encrypted password and place it inside the .htpasswd file. Place one entry per line. Look at the following scenario

User1
Username: Mike
Password: pass1
User2
Username: John
Password: pass2
User3
Username: Michel
Password:pass3

For the above list of credentials the following lines should be added to the .htpasswd file
Mike:$apr1$0tk/3shV$XxjMyZUr9NQf87HTm7I7R.
John:$apr1$tA.gPX3v$ahSj1zkt9ZeunGqVYxMNa0
Michel:$apr1$HV03itP8$okrHauKvukvMSyE3LHlOe0

Save the file and move on to the next step

Step 2:- Create a .htaccess file

Go inside the directory which is to be password protected. In this case lets take it as /home/username/public_html/secret. Create a file named .htaccess, open it using the text editor and add the following lines.
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/username/.htpasswd"
Require valid-user

The AuthName specified here will be displayed in the web browser dialog box when someone tries to access the password protected directory.

htpasswd authname
Browser requesting username and password displays the AuthType Value

The AuthUserFile is the complete location of the .htpasswd file on the server. If you don’t know the complete location create a php file named location.php and type
<?php
echo $_SERVER['DOCUMENT_ROOT'];
?>

Access the file via url (http://example.com/location.php) and it will display the complete location of your files on that server.

finding document root
The php code displays the entire directory location on your server

Delete the location.php file, it might pose a security threat later. Now according to the above image if you placed the .htpasswd file outside the htdocs folder then the AuthUserFile location should be "C:/AMP/Apache Software Foundation/Apache2.2/.htpasswd".

The Require option is to grant/restrict access to particular users. If it is set to valid-user then all the users specified in the .htpasswd can login. If you want only Mike and John to be allowed the set it as Require user Mike John.

Save the .htaccess file and move on to the testing part.

Step 3:- Test the new settings

Access the password protected folder using your web browser web browser. You’ll see a dialog box asking you to enter the username and password. After you enter it you should be able to view the page. If it doesn’t accept the credentials entered and still prompts you for the username and password it could be due to the following reasons

  1. Username and/or password is incorrect. You may have mistyped the username/password and the case is incorrect.
  2. There is a syntax error in the .htpasswd file. Make sure only one username password combination is entered per line and the password should be encrypted for .htpasswd file.
  3. The location of htpasswd specified in the .htaccess file for AuthUserFile could be incorrect. You should specify the entire directory location.

When the web browser prompts you for credentials if you press cancel a 401 error is encountered and an “Authorization Required” error is displayed.

Note: Even though this method password protects your directories the password entered from your browser are sent to the server in an unencrypted form. Use this method only to add an extra layer of security for protecting administration panels and backends.

Related posts:

php category thumbnailHow to use custom php.ini files on shared hosting disable directory listing apache thumbnailDisable Directory Listing in Apache Default ThumbnailHow to create custom error page in Apache forgot mysql password windows smileyResetting MySQL root password in Windows php category thumbnailPHP error_log .htaccess

Tags: htaccess, htpasswd, password protection

Trackbacks

  1. How to Disable Directory Listing in Apache | Jesin's Blog says:
    March 10, 2013 at 1:22 pm

    […] or public_html folders). If you have no other option then store them in a separate directory and password protect […]

    Reply
  2. apc.php Download | Jesin's Blog says:
    June 30, 2013 at 3:07 pm

    […] and “User Cache Entries” a password has to be set, this will be used for doing a HTTP Basic Authentication just like using a htpasswd file. Edit the following lines in the apc.php […]

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get a wealth of information delivered to your inbox. Subscribe and never miss a single article.

  • Tutorials and howtos
  • Code, scripts and commands
  • Online Tools

* No spam, unsubscribe anytime

Hire Me

  • SSL installation and hardening (A+ on Qualys SSL test)
  • Apache & Nginx configuration
  • Email deliverability improvement (10/10 on Mail Tester & MailGenius)
  • WordPress customization, optimization and migration
  • and much more…

    Tools

    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool

    Nav

    • Home
    • About Me
    • Contact Me
    • Privacy Policy
    • Sitemap
    Vultr SSD VPS

    Creative Commons License
    Jesin's Blog by Jesin A is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
    Based on a work at websistent.com.