Password Protecting Web Directories with .htaccess

You can now password specific directories within your website by placing special access control files within the directories you want to protect. 
 

    Create a ".htaccess" file. This is an Access Control File which will contain rules on who can access your website. 

    Create a ".htpass" file. This is a password file which will contain a list of Usernames and Passwords of people who can access your protected directory. 

    Transfer the ".ht" files. Transfer both of these files to the directory you wish to protect. 

    More about ".htaccess". There is more to ".htaccess" than meets the eye. Here is some addtional information.


1. Create the ".htaccess" access control file

Create this file using Notepad or SimpleText or some other plain text editor. When complete, transfer the file using your favourite FTP program to the directory to be protected  WEBPOST web account. Here is a sample of the ".htaccess" file used to protect directory: 

 

AuthUserFile /usr/local/ns-home/docs/webpost/help/PasswordProtection/.htpass
AuthName My Web Site
<Limit GET POST>
require valid-user
</Limit>
Leave a blank link at the end of your file. 
 
Note: If you can not create a file called ".htaccess" on your PC, give it a different name such as "htaccess.txt" When you transfer this file to your WEBPOST account, use your FTP program to rename this file as ".htaccess". Your directory will not be protected unless a valid ".htaccess" and password file are present.

2. Create the ".htpass" user/password file

The ".htpass" file is a list of usernames and encrypted passwords that may look like the following: 

     PHIL1010:9AFcmybXs1JV2
     SOCRATES:o8d8I.6b.hwWg
     PLATO:wizDR5wi.JkYc

Each username and password is separated by a colon. You can create this file on any DOS, Windows 3.x/95/98/NT system using the following utility: htpass.exe 

     

    Download htpass to your local drive and store it in a directory such as "C:\WEBPASS" 

    Open a DOS shell window and change into the WEBPASS directory. 

    Enter the following command to create a password file and add your first user: 

    htpass -c htpass.pwd myclass 

    You will first be prompted for a password for "myclass" (or whatever username you choose). You will be prompted to re-type the password a second time. Here is what the session would look like:   

    C:\webpass>htpass -c htpass.pwd myclass
    Adding password for myclass.
    New password:
    Re-type new password:
    
    C:\webpass>
  • The "-c" switch creates the specified password file. After the file has been created, you can add new users or change existing passwords with the following command:
  • htpass htpass.pwd nextuser 

    C:\webpass>htpass htpass.pwd nextuser
    Adding password for nextuser.
    New password:
    Re-type new password:
    
    C:\webpass>

     

The simplest approach is to create a single login for your site and share that password with anyone authorized to get in. If you prefer, you can create dozens of passwords -- enough for each member of your class. It you choose to use this service, it will be up to you manage these passwords. 


3. Transfer ".htaccess" and ".htpass" to the protected directory in your WEBPOST accound.

In order to work, your protected directory must contain valid .htaccess and .htpass files. On some systems (DOS, Windows 3.x), you can not create file names such as ".htaccess". However, you can transfer these files to your WEBPOST account using FTP. Once the files have been transferred, you can also use your FTP program to rename them. 

Security note: we have configured our web server so that ".htaccess" and ".htpass" files can not be viewed by any browser over the web. If you make frequent changes to your ".htpass" file, you can also call it "htpass.pwd". "htpass.pwd" files can not be view by browsers on www.yorku.ca 


4. Additional Information:

There are a number of key words and sections that make up ".htaccess" files. 

Keyword/Section Explanation
AuthUserFile the fullpath to the protected directory (as seen from www.yorku.ca). In other words, to protect http://www.yorku.ca/faculty/academic/professor/myclass you would need to specify: 

AuthUserFile /usr/local/ns-home/docs/webpost/faculty/academic/prof/myclass/.htpass

AuthName is simply the name of your protected area. It will appear in the login prompt.
<Limit GET POST> </Limit> se the Limit tag to specify the HTTP actions you wish to permit. GET and POST will allow users to get pages and post forms on your site.
require valid-user This directive allows all users in the specified .htpass file to log into the directory
require user user1 user2 user3 Allows a list of specific users to log into the directory.

 

The following Appendix is from Netscape's "Using .htaccess instead of .nsconfig" 

Appendix A - Supported .htaccess Directives 

The following .htaccess directives are supported in this release: 


Allow 

Syntax: 

allow from host host ... 

where host is all, to allow access from all client hosts, or is all or the last part of a DNS host name, or is a full or partial IP address. 

Must be enclosed within a <Limit> range. 

Effect: 

Allows access to the specified hosts. Normally appears inside a <Limit> range. 

 


AuthGroupFile 

Syntax: 

AuthGroupFile filename 

where filename is the name of file containing group definitions in the form: 

    groupname: user user ...

Must not appear within a <Limit> range. 

Effect: 

Specifies that the named group file is to be used for any group definitions referenced in a require group directive. 

 


AuthUserFile 

Syntax: 

AuthUserFile filename 

where filename is the name of file containing user definitions in the form: 

    username:password

where username is a user login name, and password is the crypt()-encrypted password. 

Must not appear within a <Limit> range. 

Effect: 

Specifies that the named user file is to be used for any user names referenced in a require user or require valid-user directive. 

 


AuthName 

Syntax: 

AuthName authentication realm 

where authentication realm is a string identifying an authorization realm to be associated with any request for user authentication. 

Must not appear within a <Limit> range. 

Effect: 

The authentication realm string typically appears in the prompt for username and password on the client side. It may affect caching of username and password on the client. 

 


AuthType 

Syntax: 

AuthType Basic 

Must not appear within a <Limit> range. 

Effect: 

Specifies the user authentication method as HTTP Basic Authentication, the only method currently supported. 

 


Deny 

Syntax: 

deny from host host ... 

where host is all, to deny access from all client hosts, or is all or the last part of a DNS host name, or is a full or partial IP address 

Must be enclosed within a <Limit> range. 

Effect: 

Denies access to the specified hosts. Normally appears inside a <Limit> range. 

 


<Limit>  

Syntax: 

<Limit method method ...> allow, deny, order, or require directives </Limit> 

where method is a HTTP method such as GET, POST, or PUT. 

Effect: 

Applies the enclosed directives only for requests using the specified HTTP methods. 

 


Order 

Syntax: 

order ordering 

where ordering is one of: 

allow,deny 
deny,allow 
mutual-failure 

Must be enclosed within a <Limit> range. 

Effect: 

allow,deny evaluates allow directives and then deny directives. deny, allow evaluates deny directives and then allow directives. 
mutual-failure denies access for a host listed in both allow and deny directives, regardless of their ordering. 

 


Require 

Syntax: 

require group groupname groupname ... 
require user username username ... 
require valid-user 

Must be enclosed within a <Limit> range. 

Effect: 

require group requires the authenticated user to be a member of one of the specified groups. 

require user requires the authenticated user to be one of the specified users. 

require valid-user requires an authenticated user. 

 


Here is a sample .htaccess file, so you can see what it looks like. 

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName mxyzptlk.kawaii.com
AuthUserFile /DocRoot/mxyz-docs/_vti_pvt/service.pwd
AuthGroupFile /DocRoot/mxyz-docs/_vti_pvt/service.grp

Last revised: Rod Potter / Sept 22, 1998
 

           

York University