Site Moved

This site has been moved to a new location - Bin-Blog. All new post will appear at the new location.

Bin-Blog

Password protecting a folder using .htaccess

The password protection feature of '.htaccess' can be used to secure entire folders or files on your web server. This is much easier than having to code the entire authentication system by hand.

This feature had been a life saver for me on several occasions. One time a project I was working on was overdue and I still had to do the admin side of the system. I did not have the time to create an authentication system at that stage. So I made a .htaccess file and used it to password protect the whole admin folder. What would have take me hours was over in a few seconds. .htaccess saves the day. Afterwards, I had to code the authentication system myself in PHP because the project needed some features like multiple admins, password retrieval etc. Anyway, it saved me from work the first day.

Try it out...

Let's say that we are trying to protect the '/var/www/htdocs/top_secret' folder. We will make this folder inaccessible to all but our user 'james_bond'. He will access it using the highly secure and unguessable password 'secret'.

  • Username : james_bond
  • Password : secret

First we go to the folder we are protecting(ie '/var/www/htdocs/top_secret') and create the .htaccess file in this directory. Put these lines in the .htaccess file...

AuthUserFile /var/www/safe/.htpasswd
AuthGroupFile /dev/null
AuthName TopSecret
AuthType Basic

require user james_bond

Open the location /var/www/safe/(create this folder if it doesn't exist) and create a file called '.htpasswd' with this line...

james_bond:tbuUG6kXINUbo

Fire up your favorite browser(it should be Firefox - anything less is sacrilege) and point it to the location http://127.0.0.1/top_secret. If all went well, you should see a Username/Password prompt. You will only be allowed in if you provide the valid username and password(james_bond/secret).

Explanation

.htaccess

AuthUserFile /var/www/safe/.htpasswd
AuthGroupFile /dev/null
AuthName TopSecret
AuthType Basic

require user james_bond

The first line says the location of the file with the username and password. For security reasons, this file is kept outside the document root. We don't want any yahoos with a web browser accessing our .htpasswd file. You will have to change this to the location where you kept your .htpasswd file.

The second line is the full path of a text file containing the list of user groups that should be allowed in. This line is not relevent in our context as we don't have any groups - we are just pointing it to a null file.

The third line 'AuthName TopSecret' is the name of the area you are protecting. You can change this as you see fit. This text will appear in the prompt for the username and password - like this...

Enter username and password for "TopSecret" at ...

The fourth line 'AuthType Basic' is used because we are using the basic authentication scheme.

The last line 'require user james_bond' says that only user 'james_bond' can enter. If you have multiple users in the .htpasswd file, you can use the line...

require valid-user

Now any user in the .htpasswd file can enter.

.htpasswd

This file is a list of all users in the format... <USERNAME>:<PASSWORD>

The username is given in plain text while the password is encrypted using the 'crypt' function. You can generate this password using the 'htpasswd' command in linux. For example running the command...

htpasswd -c .htpasswd james_bond

will ask for a password. Once the password is provided, the program will create the file '.htpasswd' in the current folder with the user 'james_bond' and the given password.

If you are not on linux or if you are afraid of typing commands in the console, you can create the password using one of the many online password generators out there...

Or if you want to create the password yourself, the PHP code is given below...

$username = 'binny';
$password = '';

//Create a random salt
$chars = str_shuffle( "012456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+=-`[];',./\{}:\"<>?|" );
$salt  = $chars[rand(0,strlen($chars))] . $chars[rand(0,strlen($chars))];

//Print the username:password pair
print $username . ':' . crypt($password,$salt);

If you don't understand the above code, just use this...

crypt('password');

This will return the encrypted password. For more information, see the PHP manual entry on crypt.

Problems

No matter what you do, you can't get the username/password prompt. You just go to the page directly. This is because your apache server is not reading the .htaccess file. Open the server configuration file(usually /etc/httpd/conf/httpd.conf). Search for the text 'AllowOverride'. Find the AllowOverride setting for the document root folder(something like /var/www/htdocs). Change this line to...

AllowOverride All

This setting will make sure that the apache server reads and uses the .htaccess file. After making this change, restart the server with the command 'service httpd restart'.

For more information, see the apache documentation.

Filed Under...

0 Comments: