You are using a browser which is not compatible with CSS (for more information, see Tara's tutorial). Because of this, it is possible that our website may not appear correctly in your browser. We apologise for the inconvenience, and recommend you upgrade your browser to one which is compatible with CSS. For more information, please visit our Browser Upgrade page.

4WebHelp

Password Protection by Rod

Last updated: 02/05/2012

A password protection window In order to have a complete understanding of what a .htaccess file is, I suggest that you also read our Custom Errors tutorial and our Control File Defaults tutorial.

1. Using .htaccess to password protect your site

By default, all of your site is available to everyone to read. It may be that you want to protect all or part of your site, so that only users with valid usernames and passwords can access it. This section shows you how to use .htaccess to do this. It assumes, once again, that you want the effect to apply to the whole site - see section 10 for a discussion on protecting part of your site. The .htaccess file specifies the extent of the protection - it does not contain the passwords. These are stored in a separate file called .htpasswd, which is covered in the next section.

You need at least four lines in .htaccess to set up password protection. These are:

AuthName "Realm name"
AuthType Basic
AuthUserFile /BASEDIR/.htpasswd
require valid-user

/BASEDIR/ is the path to your root directory.

AuthName: Realm name is really just a piece of text that appears on the dialogue box asking for the password. See what it does in practice and then you can decide what text you would like here.

AuthType: Only Basic is possible at present. Another mode (Digest) is planned, which will be more secure, but there appears to be no release date for this yet.

AuthUserFile: The existence of the AuthUserFile line suggests that you can call the .htpasswd file something else. That is true, but is best to call it .htpasswd, so that nobody can view its contents.

require: This says that any user validated by password is allowed; further on in the tutorial we show how this can be varied.

As well as these entries in the .htaccess file, you will need to set up a .htpasswd file - see the next section for details.

2. Creating the .htpasswd file.

The format of this file is simple. It consists of a series of usernames and passwords. Each line holds one username and the single password associated with it, separated by a colon. Here is an example:

frances:WrU808BHQai36
john:iABCQFQs40E8M
lisa:FAdHN3W753sSU

You may think these passwords are rather unrealistic and difficult to remember - the reason for this is that they are encrypted for security. The .htpasswd file does not hold the actual passwords in clear text - it holds them in a coded form. If you are running Apache (at least on Unix) there is a command called htpasswd which will translate clear text passwords into this encrypted form. What many webmasters do is use an on-line tool to do this translation. You can find such a tool in our Online Tools section.

NB: Although the .htpasswd file requires the passwords in encrypted form, the user must enter them in clear text.

You now have all the information you need to password-protect your site!

3. Using .htaccess in lower level directories.

So far we have talked about .htaccess as though it is one file that must go in the root directory. Not true. You can, if you choose, put a different .htaccess file in every directory. If you put a .htaccess file in the root, it will affect the whole site - all directories and all files in all directories and sub-directories. If you put it in a lower-level directory, it will affect the files in that directory, and all the subdirectories in that directory and all the files in those subdirectories - and so on.

You might, for example, put a .htaccess in your root directory which tells the system how to treat files with a suffix of .php, and you might have a different .htaccess file in another directory allowing users to view a directory listing, and you might set up another .htaccess file in a different directory to password protect only a small area of your site.

4. Advanced facilities for password protection

Other things you can do with .htaccess to control access include:
  • Selective access control and grouping users
    Instead of giving access to all users with valid passwords, you can restrict access to a directory to particular users, like this:

    require user frances lisa

    This would allow access to users frances and lisa (with a correct password) but not to user john. By using the same .htpasswd file, frances and lisa would not need a different password. If you want to keep usernames out of the .htaccess file, you can instead refer to formal groups of users, like this:

    require group women
    AuthGroupFile /mygroups

    The file mygroups would consist of a series of lines defining groups, like this:

    men:john
    women:frances lisa

    Individual usernames in a group are separated by spaces. A line with usernames can be up to 8kb long, and more than one line with the same groupname is allowed. Usernames can appear in more than one group (although my example makes that difficult!).

  • Protecting individual files
    You may wish to protect a single file in a directory. To do this, set up the .htaccess file like this:

    AuthName "Realm Name"
    AuthType Basic
    AuthUserFile /.htpasswd
    Allow From All
    <Files file.xxx>
    Deny From All
    </Files>

    This would password protect file.xxx only.

  • Using the same usernames and passwords in different places on your site
    You may want to password protect separated areas of your website, but not want authorised users to have to enter the same username and password again as they move between the areas. In this case, set up two separate .htaccess files in the directories at the top of the two areas, use a single .htpasswd file, and use the same Realm Name in the AuthName lines in each .htaccess file.

If you need to support a large number of users, simple .htpasswd text files will start to cause performance problems (because every file access in a protected area has to be checked for authentication by the server, even though the user only has to enter the password once. It is possible to use .dbm files instead, or to impleent your own password protection system without using .htaccess - but this is beyond the scope of this tutorial.

5. Further information on .htaccess

You can also use the .htaccess file to, for example, do sophisticated redirection, and to prevent people from downloading your images. For more information on this, see Bill's advanced .htaccess tutorial at webxtractions.com.

For definitive information on .htaccess and .htpasswd on the webserver Apache, see www.apacheweek.com/features/userauth.

For definitive information about how user authentication works on the Internet, see the historic HTTP/1.0 and HTTP/1.1 documents, available at info.internet.isi.edu/in-notes/rfc/files/rfc1945.txt and info.internet.isi.edu/in-notes/rfc/files/rfc2068.txt respectively.

For another introduction to setting up user authentication, see the NCSA Tutorial at hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html - but beware that not all of this applies to Apache.


Acknowledgements

This tutorial is built from the contributions of k0z (who used to call himself Geneeus), Bill, Kjell, Choon, and Glenn. Other information derived from the Apache and Apache Week websites.

This document edited by Bill, 4 Nov. 2000. Screenshot added by Daniel, 25 Jun. 2002.

© 4WebHelp and Rod

Comments on this tutorial
Name: RobEmail none
This online service allows you to easily create .htpasswd files:

http://apps.mathieu-rodic.com/Encryption/.htpasswd-Generator
Name: samEmail ss at windy-beach dot co dot uk
Tried using this on some of www.mortdecai.co.uk but cant seem to get the path correct for the htaccess to get to the htpasswd file...
Name: JimEmail none
I'm confused about section 4: Quote:

Protecting individual files
You may wish to protect a single file in a directory. To do this, set up the .htaccess file like this:

AuthName "Realm Name"
AuthType Basic
AuthUserFile /.htpasswd
Allow From All
<Files file.xxx>
Deny From All
</Files>
This would password protect file.xxx only.

Shouldn't there be a require directive in there?
What about an Order directive?
How does this work?
Thanks
Name: Christine SpenceEmail caspen55 at hotmail dot com
I have a .htaccess file created by Godaddy's file manager for password protection. It does not prevent access to a .php file when the address leading to this file is entered into a web browser. Can anyone advise how to rectify this probolem?
Name: MeEmail ahti dot n at kolumbus dot fi
Newbie
I tried to install .htaccess
ok
But in win it wount accept
.htpasswd.
Why?
I get wrong peep.???
Name: RichardEmail Richard at ivum dot co dot uk
For people who are having problems with where to place the files do the following:

Place the .htpasswd anywhere, where ever you place it make your you place the server path next to AuthUserFile in the .htaccess path so the htaccess file will look something like
AuthUserFile /hsphere/local/home/.htpasswd

The directory which you would like to password, place the .htaccess file in that directory and your set to go.

To find out the server path login to your hosting package control panel and click on Domains and it should tell you in there could be named "HTML Directory Name"
Name: SkyEmail none
What reason would there be for not seeing the password window pop up?
Name: DraxtonEmail 03Lowrider at sbcglobal dot net
Unless there's something I'm missing, it appeared as though this tutorial was going along just fine until I realized it talks about creating access files but nothing about where to place them once you've done that.

For instance, The Password File. Where does it go and how is it implemented?  I think more information on the basic setup could have been offered instead of a lot of conversation about the different way to use passwords & who gets in.

On a Scale of 1-10 I have to give this tutorial a 5 only because it feel short of fully explaining step by step instructions as it promised in the first few lines.  
Name: RamseyEmail ramseygarnica at yahoo dot com
Perfect way of explaining this!  Every should just remember, if they keep getting the password protection pop up for their username and pass, but their password never works, make sure the path to the root directory is correct.  I spent a long time tring to figure that one out, and even my hosting company got it wrong.
Name: tttttttEmail none
i don't get it
Name: joeblackEmail joeblack at buidaelpap dot net
It seems not to work on linux machines
Name: MarkEmail mark at djthom dot ua
Hello. Liked your site very much. Great design and content!
Name: JohnEmail john dot portovsi at yahoo dot com
Greetings to all! Excuse for this message, but at you excellent design of a site! Very much it was pleasant to me, I shall come here very often!
Name: Adam CEmail mantis at tkff dot com
I found this a great tutorial, easy to use. However, how does the authentication work, is it by cookie? How long would one IP stay authenticated and can that setting be changed?

Name: Paul MaddocksEmail admin at maddop dot com
I have used this again on http://www.maddop.co.uk/php
Name: MikeEmail none
For anybody having trouble creating the blank .htaccess file in the first place, try this..

START > CONTROL PANEL > FOLDER OPTIONS > VIEW (tab)

Then UNTICK "hide extensions for known file types"

Then you will be able to change filname.txt to whatever you want! (including .htaccess)

Windows XP by default hides the extention for .txt docs, so even if you think you have changed the file extention, you may well have just created a file called ".htacess.txt" without knowing it.

Hope that helps someone.
Name: Chandani JoshiEmail moonlady01 at hotmail dot com
i      this dum tutourial website and my brother       on my computer. tell me a way to stop this
Name: Chuck E.Email chuck at homecert dot com
Great tutorial. This was almost too easy. Every other document I read about this made it seem overly complicated and left me with more questions than answers.

After reading this it took me all of about 10 mintes to implement and test - THANK YOU!

A couple of pointers for Windows users
1. You can use Notepad to create the files and save them to your local drive with the .txt extension
2. Use FTP to upload them and use the rename function to remove the .txt extension.

Thats it!

Chuck
Name: AngelEmail none
Great Smile thanks, I used httaccess for quite a while, but the limit single file in directory example helped me out. Thanks!
Name: domEmail none
How is it i makes it work then, or if no then what if it cant be wirk, also when i has it on me pc i cant seem to be in any dirs you say i can / or get to my htaccess file atall
Name: CrisEmail none
I think this  is a great tutorial
Name: GlenceEmail foxlance_g at yahoo dot com
All .htaccess tutorials in the net seems harder to read for newbies.this one is good, pretty straight forward.

but

i cant make them work just like in any other tutorials. the default index page shows up, tried to disable them, but a ftp like environment shows up showing all files on the directory.

can anyone tell me what am i doing wrong?
Name: EricEmail none
Thanks for the tutorial. Simple, straightforward and easy to implement. Wish I'd know more about .htaccess years ago.
Name: Joyce BabuEmail joyce1 at myaddress dot co dot nz
I have found your tutorial very useful. I would like to know whether I can protect my javascript codes using htaccess. Plz help me.
Name: riderEmail taurus30_99 at yahoo dot com
Is there a way to make this directory/file level authentication work with PGP?
Name: JomowebEmail none
JJ - In notepad, try saving it as ".htaccess" in quotation marks with save as file type All Files "*"
Name: suthaEmail none
How do i use the ht access in tripod. It won't let me rename the file to .htaccess
Name: DanielEmail use contact form
Marc: You can't do that with .htaccess. You'd have to use PHP or Perl scripting for that.
Name: Admin RamonEmail none
I think its the patch not the url on AuthUserFile

(like home/domain/public_html/) or whatever.
Name: DanielEmail use contact form
John: You'll have to use PHP for that. The variable which contains the username is $_SERVER['PHP_AUTH_USER'].
Name: DonEmail none
Great tutorial - so straightforward and easy to follow. Where should the file 'mygroups' reside? What should its full title be?
Name: DanielEmail use contact form
Hyper-Stream: Please ask your question in the forums, as this comments area is not designed for questions/answers/replies.
Name: DanielEmail use contact form
Nolan: Please post a detailed description of your problem in the forums, where we will be able to help you more easily.
Name: NolanEmail subzero at nc dot rr dot com
I guess I did something wrong with the HTML there. Oh well.
Name: SanderEmail sander dot spamprotection dot demeulenaere at belgacom dot net
You can just open a dos box

(in winXP:  start->exec->cmd)

then:

edit .htaccess
you'll get a blue screen... Now: file->save
and then exit.

You now have the file in your home dir.

You can now manually move it Smile

Grtz
Sandr
Name: drssEmail drss87 at hotmail dot com
Very  good tutorial, but it doesn't tell how to set up forms to work along with the .htaccess file......???How do i set it up in the html file`??
Name: June BeddowsEmail junebeddows at iib dot ws
I found this helpful and user friendly.

Add a new comment

This page is © Copyright 2002-2014, 4WebHelp. It may not be reproduced without 4WebHelp's prior permission.