Password Protecting Your Pages with htaccess

  You are currently not logged in. You can view the forums, but cannot post messages. Log In | Register

03-Oct-05 00:00
This is a forum topic for discussing the article "Password Protecting Your Pages with htaccess":

http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/

Learn how to use Apache's .htaccess files to protect pages on your site with a username and password.
03-May-10 12:31
Great article. I found it extremely helpful.

However, I am struggling to figure out if it is at all possible using this method to password protect URLs that have dynamically been written from a database. These directories do not physically exist on the server, but I would like to lock out access to them.

Is this possible using .htaccess?
03-May-10 20:10
Hi there,

I think it should be possible. I do something similar with redirects for URLs that don't physically exist on the server through .htaccess - I am doing my URL rewriting through .htaccess too though.

Give it a try and see. I'd be interested to hear whether it works or not!

Cat

--
http://web.soothed.com.au/
Web design for natural therapists
06-Jul-10 10:51
Thanks very much for this - it's a lot clearer than some other "explanations".

I wondered if I could just mention something which will be obvious to most but with which I struggled. It took me a long time to work out what exactly to put in the AuthUserFile line. Eventually I realilsed that it must look something like this

AuthUserFile /home/your_user_name/folder/.htpasswd

I was originally trying

/folder/.htpasswd

which won't work.

Thanks again for a helpful article.
07-Jul-10 04:19
@looby: Thanks for your contribution - I'm glad you found the article useful.

--
Matt Doyle, Elated
24-Sep-10 11:02
Hi

The password protection works like a dream, however once I've sumbitted the correct password I get an Internal Server Error.

It's the same error I get when I mess up the main website .htaccess file.

The main website is still working ok.

Do you have any ideas why it might be giving me this error?

Thanks

xxx

--
www.viva.org.uk
26-Sep-10 19:12
@DaisyMae: Take a look in your Apache error log - this will tell you the exact error message/problem.

--
Matt Doyle, Elated
19-Oct-10 16:21
This was a great tutorial: clear, easy to follow, and spectacularly useful. The very few times I've needed to do this, I've never remembered how it's done, and it has always seemed to take me ages of searching around before I find a genuinely helpful how-to. This time, I'm bookmarking. Thank you so much for writing it!
19-Oct-10 20:21
Thanks @skelkins, I'm glad you found the tutorial helpful.

Cheers,
Matt

--
Matt Doyle, Elated
21-Nov-10 18:59
Your explanation was clear and worked fine for protecting web folders as described.....but
I guess I was looking for something different.
On my first web I have some sub-folders with pages in them.
I want to prevent access dirctly into the sub-folders but allow the web browser to see the pages.
Hope I explained that correctly.

Thanks
21-Nov-10 23:02
Hi dougsix,

If I understand you correctly, you want to prevent automatic directory listings. To do this with Apache, see:

http://httpd.apache.org/docs/1.3/misc/FAQ.html#indexes

Alternatively, you could put a blank index.html file in each directory.

Hope that helps!

--
Matt Doyle, Elated
22-Nov-10 13:10
Thanks for the quick response.
The blank index.html page seems to do exactly what I wanted. Now the contents of the folders ares not visible.

Thanks again.

Dougsix
23-Nov-10 23:37
@dougsix: Great stuff. You'll find the .htaccess approach is generally more manageable, but the blank index.html technique works well if you only have a few directories to protect (and you don't want to mess around with .htaccess files).

--
Matt Doyle, Elated
27-Jan-11 09:36
Thanks for the info on using htpasswd.exe that was welcome info. And the passwd protect works fine also. But I would like to add in my case here I had an error in the log every hit saying.
client denied by server configuration: it was because I was allowing dir listing in the folder to fix that I added.

IndexIgnore .htaccess to the .htaccess fixed the errors when it tried to read the dir listing every time.



AuthUserFile c:\webserver\ServerControl\.htpasswd
AuthName “WhoAreYou”
AuthType Basic
require valid-user
IndexIgnore .htaccess
Options +Indexes
# adding fancy directory indexing
IndexOptions +FancyIndexing


Thanks again for the nice how to..
27-Jan-11 22:36
@JustToSay: Thanks for the feedback, and the extra info.

--
Matt Doyle, Elated
08-Feb-11 18:17
Love the explanation of how to protect folders and pages.

I'm working on a script that will allow users in the system to "auto login" or ftp to a password protected folder from a link provided to them. Is this even possible and if not with .htaccess is there another way?

ex:

http://www.mydomain.com/protected-folder?username=USERNAME&password=PASSWORD

[Edited by tommie on 08-Feb-11 18:48]
09-Feb-11 19:29
Hi tommie,

You can specify a username and, optionally, a password in an ftp:// URL:

http://www.cs.rutgers.edu/~watrous/user-pass-url.html

Cheers,
Matt

--
Matt Doyle, Elated
18-Jun-11 18:26
hi, how do you get users to logout from the protected page once they are done viewing the content?

Once I've successfully entered the protected page using this method and I close the window, the next time I visit the protected page it doesn't ask me for a password anymore.

So question is, how secure is this?
23-Jun-11 03:37
@banafsajy: You can't really. The browser stores the credentials until it's closed:

http://en.wikipedia.org/wiki/Basic_access_authentication#Disadvantages

If you need to support timeouts and logouts then the best bet is to use server-side code (PHP, ASP etc) with sessions. This also gives you more security since the credentials aren't sent by the browser with every request - only the session ID is sent.

Cheers,
Matt

--
Matt Doyle, Elated
29-Feb-12 02:55
I tried this.
I put the password above the root directory.
Everything works well, except that if instead of entering a username and password, I just hit cancel, it takes me right into the directory I was trying to protect.

Any suggestions?

--
gordon
04-Mar-12 23:43
@ gordon: No idea without seeing your .htaccess and password files. Sounds like maybe your Apache isn't set up for HTTP auth properly.

--
Matt Doyle, Elated
27-Nov-12 12:45
Can i specify an error page if the user hits cancel and gives bad credentials?
27-Nov-12 13:12
figured it out. thanks.
17-Nov-13 17:20
Question for you. I used htaccess to password protect a page of my website previously. I want to password protect a new page of my website, but make a new password for this page that will not work on the other page. My old computer died, and I got a new computer. I have been trying to find the htaccess and htpasswd files with no success.

If I want to password protect this new page with different passwords, am I out of luck? Is my only option to put it in the same folder with the already password-protected page, and use the same password as it? Any suggestions on what I should do?
17-Nov-13 18:17
Put it in a different directory with it's own .htaccess file and .htpasswd file

Bearing in mind of course that a .htaccess file applies to all subdirectories off the directory as well.

--
Chris.
So long, and thanks for all the fish.
http://webmaster-talk.eu/
18-Nov-13 10:13
I tried doing that, it doesn't seem to work! At best I can only get the other page to be password protected. This one shows no matter what, even if I put it in the same folder and add more <Files></Files> blocks. Any suggestions would be greatly appreciated!
19-Nov-13 16:46
Do you have a .htaccess file in the document root directory?

If so, the directives in that will cascade along the entire directory tree and take precedence over 'local' .htaccess directives.

--
Chris.
So long, and thanks for all the fish.
http://webmaster-talk.eu/
19-Nov-13 22:41
Hi Chris, it's in the main folder of my website. I have some IP addresses blocked in the htaccess file as well. The file that's password protected is in a folder called "Private_folder".

I also specified:
AuthUserFile /home/content/s/h/i/shinycrayons/html/.htpasswd
AuthType Basic
AuthName "Resume"

<Files "cv.html">
Require user shinycrayons
</Files>

If I want to password protect another page in the same folder, what would I enter?

I'm new to this, so thanks for your help in advance!
20-Nov-13 09:50
To protect multiple files you need to use a FilesMatch directive with a regular expression OR (|) and put the match patterns in paranthesis.

The IfModule directive is not required, it is simply a check that Apache has been compiled with mod_auth included



<IfModule mod_auth.c>
<FilesMatch "(filename\.ext)|(filename2\.ext)">
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require [valid-user-name]
AuthType Basic
</FilesMatch>
</IfModule>


If you want different usernames and passwords for different filenames you add name:password pairs in .htpasswd



user1:r992@L24y8
user2:23849&h74U



and use Files or FilesMatch directives for each file name

The thing to be wary of is going over the top with htaccess directives, simply because it is loaded and read on every request to the server. So a few dozen lines of directives can add a significant extra load to a fairly busy server.

[Edited by chrishirst on 20-Nov-13 09:53]

--
Chris.
So long, and thanks for all the fish.
http://webmaster-talk.eu/
20-Jan-14 19:16
Thanks, Chris. I figured out what the issue was after many tries. The FilesMatch directive was fine. But the quotes I had were incorrect: they weren't straight double quotes, which threw everything off. I got it to work! Thanks for all your help.
12-May-14 09:21
The password protection works well, but with .htaccess I get problems with Apple TV ( Airplay). Videos can not be streamed with an active .htaccess file. Without .htaccess Airplay works with the same video-files.
What can I do?
12-May-14 09:48
Great article, clear and helpful - thanks Chris.
I got it working without any problems (to restrict access to some short videos).
My query is: Is there any way to change the default wording that is displayed in the authentication window.
"A username and password are being requested by http://www.website.co.uk. The site says: 'EnterPassword' ." I know you can change the "EnterPassword" with new text in AuthName but the sentence 'The site says...' is superfluous. Actually a simple 'Please enter Username and Password' is all that's required and would look much better. Can this be done?
If anyone knows, I'd appreciate it. Thanks in advance.
12-May-14 09:52
btw the above website.co.uk is not mine, just used 'website' as a generic term.
04-Jan-15 09:21
Just created an account to say thank you super useful. Found this post helpful when it didn't work the first time (using Ubuntu server): http://www.linuxquestions.org/questions/linux-server-73/htaccess-and-htpasswd-not-working-865318/.

 
New posts
Old posts

Follow Elated