Home : Forums : Website Management : Password Protecting Your Pages with htaccess

Password Protecting Your Pages with htaccess

  You are currently not logged in. You can view the forums, but cannot post messages. Log In | Register
03-Oct-05 00:00
DeleteDelete EditEdit
Elated Elated's avatar Rank: gold
Gold
Posts: 297
From: Brighton, UK
This is a forum topic for discussing the article "Password Protecting Your Pages with htaccess":

http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/

Learn how to use Apache's .htaccess files to protect pages on your site with a username and password.
03-May-10 12:31
DeleteDelete EditEdit
im_abby im_abby's avatar Rank: none
No stars yet
Posts: 1
Great article. I found it extremely helpful.

However, I am struggling to figure out if it is at all possible using this method to password protect URLs that have dynamically been written from a database. These directories do not physically exist on the server, but I would like to lock out access to them.

Is this possible using .htaccess?
03-May-10 20:10
DeleteDelete EditEdit
cat cat's avatar Rank: gold
Gold
Posts: 454
From: Australia
Hi there,

I think it should be possible. I do something similar with redirects for URLs that don't physically exist on the server through .htaccess - I am doing my URL rewriting through .htaccess too though.

Give it a try and see. I'd be interested to hear whether it works or not!

Cat

--
http://web.soothed.com.au/
Web design for natural therapists
06-Jul-10 10:51
DeleteDelete EditEdit
looby looby's avatar Rank: none
No stars yet
Posts: 1
Thanks very much for this - it's a lot clearer than some other "explanations".

I wondered if I could just mention something which will be obvious to most but with which I struggled. It took me a long time to work out what exactly to put in the AuthUserFile line. Eventually I realilsed that it must look something like this

AuthUserFile /home/your_user_name/folder/.htpasswd

I was originally trying

/folder/.htpasswd

which won't work.

Thanks again for a helpful article.
07-Jul-10 04:19
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
@looby: Thanks for your contribution - I'm glad you found the article useful.

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
24-Sep-10 11:02
DeleteDelete EditEdit
DaisyMae DaisyMae's avatar Rank: none
No stars yet
Posts: 1
Hi

The password protection works like a dream, however once I've sumbitted the correct password I get an Internal Server Error.

It's the same error I get when I mess up the main website .htaccess file.

The main website is still working ok.

Do you have any ideas why it might be giving me this error?

Thanks

xxx

--
www.viva.org.uk
26-Sep-10 19:12
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
@DaisyMae: Take a look in your Apache error log - this will tell you the exact error message/problem.

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
19-Oct-10 16:21
DeleteDelete EditEdit
skelkins skelkins's avatar Rank: none
No stars yet
Posts: 1
From: Portland, OR
This was a great tutorial: clear, easy to follow, and spectacularly useful. The very few times I've needed to do this, I've never remembered how it's done, and it has always seemed to take me ages of searching around before I find a genuinely helpful how-to. This time, I'm bookmarking. Thank you so much for writing it!
19-Oct-10 20:21
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
Thanks @skelkins, I'm glad you found the tutorial helpful.

Cheers,
Matt

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
21-Nov-10 18:59
DeleteDelete EditEdit
dougsix dougsix's avatar Rank: none
No stars yet
Posts: 2
From: Lynnwood, WA USA
Your explanation was clear and worked fine for protecting web folders as described.....but
I guess I was looking for something different.
On my first web I have some sub-folders with pages in them.
I want to prevent access dirctly into the sub-folders but allow the web browser to see the pages.
Hope I explained that correctly.

Thanks
21-Nov-10 23:02
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
Hi dougsix,

If I understand you correctly, you want to prevent automatic directory listings. To do this with Apache, see:

http://httpd.apache.org/docs/1.3/misc/FAQ.html#indexes

Alternatively, you could put a blank index.html file in each directory.

Hope that helps!

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
22-Nov-10 13:10
DeleteDelete EditEdit
dougsix dougsix's avatar Rank: none
No stars yet
Posts: 2
From: Lynnwood, WA USA
Thanks for the quick response.
The blank index.html page seems to do exactly what I wanted. Now the contents of the folders ares not visible.

Thanks again.

Dougsix
23-Nov-10 23:37
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
@dougsix: Great stuff. You'll find the .htaccess approach is generally more manageable, but the blank index.html technique works well if you only have a few directories to protect (and you don't want to mess around with .htaccess files).

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
27-Jan-11 09:36
DeleteDelete EditEdit
JustToSay JustToSay's avatar Rank: none
No stars yet
Posts: 1
Thanks for the info on using htpasswd.exe that was welcome info. And the passwd protect works fine also. But I would like to add in my case here I had an error in the log every hit saying.
client denied by server configuration: it was because I was allowing dir listing in the folder to fix that I added.

IndexIgnore .htaccess to the .htaccess fixed the errors when it tried to read the dir listing every time.



AuthUserFile c:\webserver\ServerControl\.htpasswd
AuthName “WhoAreYou”
AuthType Basic
require valid-user
IndexIgnore  .htaccess
Options +Indexes
# adding fancy directory indexing
IndexOptions +FancyIndexing


Thanks again for the nice how to..
27-Jan-11 22:36
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
@JustToSay: Thanks for the feedback, and the extra info.

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
08-Feb-11 18:17
DeleteDelete EditEdit
tommie tommie's avatar Rank: none
No stars yet
Posts: 1
Love the explanation of how to protect folders and pages.

I'm working on a script that will allow users in the system to "auto login" or ftp to a password protected folder from a link provided to them. Is this even possible and if not with .htaccess is there another way?

ex:

http://www.mydomain.com/protected-folder?username=USERNAME&password=PASSWORD

[Edited by tommie on 08-Feb-11 18:48]
09-Feb-11 19:29
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
Hi tommie,

You can specify a username and, optionally, a password in an ftp:// URL:

http://www.cs.rutgers.edu/~watrous/user-pass-url.html

Cheers,
Matt

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
18-Jun-11 18:26
DeleteDelete EditEdit
banafsajy banafsajy's avatar Rank: none
No stars yet
Posts: 1
hi, how do you get users to logout from the protected page once they are done viewing the content?

Once I've successfully entered the protected page using this method and I close the window, the next time I visit the protected page it doesn't ask me for a password anymore.

So question is, how secure is this?
23-Jun-11 03:37
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
@banafsajy: You can't really. The browser stores the credentials until it's closed:

http://en.wikipedia.org/wiki/Basic_access_authentication#Disadvantages

If you need to support timeouts and logouts then the best bet is to use server-side code (PHP, ASP etc) with sessions. This also gives you more security since the credentials aren't sent by the browser with every request - only the session ID is sent.

Cheers,
Matt

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
29-Feb-12 02:55
DeleteDelete EditEdit
gordon gordon's avatar Rank: none
No stars yet
Posts: 1
From: El Cajon, Ca., USA
I tried this.
I put the password above the root directory.
Everything works well, except that if instead of entering a username and password, I just hit cancel, it takes me right into the directory I was trying to protect.

Any suggestions?

--
gordon
04-Mar-12 23:43
DeleteDelete EditEdit
matt matt's avatar Rank: gold
Gold
Posts: 3328
From: Southern Highlands, NSW, Australia
@ gordon: No idea without seeing your .htaccess and password files. Sounds like maybe your Apache isn't set up for HTTP auth properly.

--
Matt Doyle, Elated
3rd Edition of my jQuery Mobile book out now! Learn to build mobile web apps. Free sample chapter: http://store.elated.com/
27-Nov-12 12:45
DeleteDelete EditEdit
derek7467 derek7467's avatar Rank: none
No stars yet
Posts: 2
From: delran nj usa
Can i specify an error page if the user hits cancel and gives bad credentials?
27-Nov-12 13:12
DeleteDelete EditEdit
derek7467 derek7467's avatar Rank: none
No stars yet
Posts: 2
From: delran nj usa
figured it out. thanks.
 
New posts
Old posts

Follow Elated