Protect directory with protected password htaccess protection

When placing private files in your www-directory or any directory in it, it can be useful to password protect that directory. This way users can't view your files.

Apache and other webserver offer possibilities for securing directories. Only authorised individuals can access a protected directory.

A visitor confronted with a protected directory will see the following window, you will probably recognize :

password protected directory

The first step we take is creating our directory. If you already have a directory skip this part. It's easy to create one with your regular FTP tool, when you use PuTTy you can use the command "mkdir directoryname".

The next step is to create a .htaccess file locally on your computer(use notepad, texteditor), put the following content in the file :

AuthUserFile /usr/www/secured/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected page"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

Edit the .htaccess file and change these two variables according to you wishes :

AuthUserFile should point to the path you want to secure.
AuthName represents the form name users will see when trying to enter your password protected directory

Now you upload the .htaccess file into your future protected directory. Make sure you don't place the file in your main webdirectory by accident. Otherwise noone can view your website without a password and username.

Once the .htaccess file is in place we create the actual password file named ".htpasswd" To create this file you need telnet or SSH access to your website.

You can gain telnet access by entering the Start->Run command "telnet www.yourdomain.com" and filling in your username and password.

You can gain access with SSH by using PuTTy, which can be downloaded freely.

When connected with your websiteserver we have to enter a few commands to create our login data. Make sure you currently are in the directory you want to protect(use command cd). Enter the command :

htpasswd -c .htpasswd username

The commandline will request you to enter a password twice. Now turn off your commandline program and test your directory. Your done!

In some occassions you want to add more users that can enter your directory. Use this command to add a new user, just make sure you are in the directory you want to secure for that user.

htpasswd .htpasswd new_username

Enter the required password twice again for this new user.

Getting rid of the password protection is easy. Get into the commandline of the webserver with PuTTy or Telnet. Enter the following command in the password protected directory :

rm .htaccess

Keep in mind that passwords and usernames are sent through your internet connection as plain text, therefore this method is not 100% secure.

Posted by James on 2009-08-15 in the category " apache "