You are using a browser which is not compatible with CSS (for more information, see Tara's tutorial).
Because of this, it is possible that our website may not appear
correctly in your browser. We apologise for the inconvenience, and
recommend you upgrade your browser to one which is compatible with CSS.
For more information, please visit our Browser Upgrade page.
1. Using .htaccess to password protect your site
By default, all of your site is available to everyone to read. It may be that you want to protect all or part of your site, so that only users with valid usernames and passwords can access it. This section shows you how to use .htaccess to do this. It assumes, once again, that you want the effect to apply to the whole site - see section 10 for a discussion on protecting part of your site. The .htaccess file specifies the extent of the protection - it does not contain the passwords. These are stored in a separate file called .htpasswd, which is covered in the next section.
You need at least four lines in .htaccess to set up password protection. These are:
AuthName "Realm name"
/BASEDIR/ is the path to your root directory.
AuthName: Realm name is really just a piece of text that appears on the dialogue box asking for the password.
See what it does in practice and then you can decide what text you would like here.
AuthType: Only Basic is possible at present.
Another mode (Digest) is planned, which will be more secure, but there appears to be no release date for this yet.
AuthUserFile: The existence of the AuthUserFile line suggests that you can call the .htpasswd file something else.
That is true, but is best to call it .htpasswd, so that nobody can view its contents.
require: This says that any user validated by password is allowed; further on in the tutorial we show how this can be varied.
As well as these entries in the .htaccess file, you will need to set up a .htpasswd file - see the next section for details.
2. Creating the .htpasswd file.
The format of this file is simple. It consists of a series of usernames and passwords. Each line holds one username and the single password associated with it, separated by a colon. Here is an example:
You may think these passwords are rather unrealistic and difficult to remember - the reason for this is that they are encrypted for security. The .htpasswd file does not hold the actual passwords in clear text - it holds them in a coded form. If you are running Apache (at least on Unix) there is a command called htpasswd which will translate clear text passwords into this encrypted form. What many webmasters do is use an on-line tool to do this translation. You can find such a tool in our Online Tools section.
NB: Although the .htpasswd file requires the passwords in encrypted form, the user must enter them in clear text.
You now have all the information you need to password-protect your site!
3. Using .htaccess in lower level directories.
So far we have talked about .htaccess as though it is one file that must go in the root directory. Not true. You can, if you choose, put a different .htaccess file in every directory. If you put a .htaccess file in the root, it will affect the whole site - all directories and all files in all directories and sub-directories. If you put it in a lower-level directory, it will affect the files in that directory, and all the subdirectories in that directory and all the files in those subdirectories - and so on.
You might, for example, put a .htaccess in your root directory which tells the system how to treat files with a suffix of .php, and you might have a different .htaccess file in another directory allowing users to view a directory listing, and you might set up another .htaccess file in a different directory to password protect only a small area of your site.
4. Advanced facilities for password protectionOther things you can do with .htaccess to control access include:
require user frances lisaThis would allow access to users
lisa(with a correct password) but not to user
john. By using the same .htpasswd file,
lisawould not need a different password. If you want to keep usernames out of the .htaccess file, you can instead refer to formal groups of users, like this:
require group women
mygroupswould consist of a series of lines defining groups, like this:
AuthName "Realm Name"
Allow From All
Deny From All
AuthNamelines in each .htaccess file.
If you need to support a large number of users, simple .htpasswd text files will start to cause performance problems (because every file access in a protected area has to be checked for authentication by the server, even though the user only has to enter the password once. It is possible to use .dbm files instead, or to impleent your own password protection system without using .htaccess - but this is beyond the scope of this tutorial.
5. Further information on .htaccess
You can also use the .htaccess file to, for example, do sophisticated redirection, and to prevent people from downloading your images. For more information on this, see Bill's advanced .htaccess tutorial at webxtractions.com.
For definitive information on .htaccess and .htpasswd on the webserver Apache, see www.apacheweek.com/features/userauth.
For definitive information about how user authentication works on the Internet, see the historic HTTP/1.0 and HTTP/1.1 documents, available at info.internet.isi.edu/in-notes/rfc/files/rfc1945.txt and info.internet.isi.edu/in-notes/rfc/files/rfc2068.txt respectively.
For another introduction to setting up user authentication, see the NCSA Tutorial at hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html - but beware that not all of this applies to Apache.
This tutorial is built from the contributions of k0z (who used to call himself Geneeus), Bill, Kjell, Choon, and Glenn. Other information derived from the Apache and Apache Week websites.
This document edited by Bill, 4 Nov. 2000. Screenshot added by Daniel, 25 Jun. 2002.
© 4WebHelp and Rod