Protecting Directories on Web Sites
(Using .htaccess Files)
web site customers have the ability to password protect directories
that are available to the internet. By creating something called
a .htaccess file and uploading it to the directory you wish
to protect, a user can assign user names and passwords to this
directory. This document will explain the contents of a .htaccess
file and what's involved in setting up username/password protection
for a web directory.
After reading this document,
if you have any questions about setting up username/password
authentication for a web directory, please e-mail email@example.com.
|Explanation of .htaccess and password files
of a .htaccess file
AuthName "Members Only Area"
of the AuthName field
The AuthName field is just the text the gets displayed
on the username/password pop-up box. This is for informational
purposes, and does not effect the functionality of the
of the AuthUserFile field
The AuthUserFile specifies where the location of the
username/password file is. Normally you want to make
this field "/webusers/home-dir/password-file",
where "home-dir" is the name of the user account
of the web site, and "password-file" is the
name of the username/password file you wish to use.
For example, let's say the user account used to FTP
to the web site and make changes, is jsmith and the
password file name we want to use is member-passwords.
We would set the AuthUserFile field to the following:
a username/password file
The username/password file is just a plain text file,
that using colon delimiters to separate fields. A username/password
file is made up of the following fields:
The username field is the name of the user you wish
to allow access to an area. The crypted-password field
is the encrypted version of the password you wish to
use with this user, to allow access to an area.
This file can be created using a text editor (in Microsoft
Windows, it's best to use wordpad to create and edit
this file). Because the password field needs to be the
encrypted version, we need a program or something to
convert the plain text password to the encrypted version.
There are a couple of methods you can use to do this,
but the easiest is to use the following link:
In the Username and Password fields, enter in the username
and password you wish to use. Then click the "Submit-It"
button. You will then be brought to a page which will
look like the following:
In this case, the username was "jsmith", and
the password I put in was "badpassword". You
can see here the password got encrypted to qswoBji.QimIY.
Next, copy this line and paste it into the password
file you are creating. If you have multiple accounts,
repeat this process, putting each account on its own
separate line. Once the password file is done and contains
all the usernames and passwords you want, save the file
as the filename you want (i.e. member-passwords).
the .htaccess and password file and restricting access
to web directories
The next step will be to upload the .htaccess file and
password file to the appropriate directories, so that
we can restrict access to a certain web directory. First
thing is we will need a web directory that we wish to
restrict access to. In this case, it will be the following
Using an FTP client (like WS-FTP), we are going to upload
the .htaccess file into:
directory. The reason for this, is because this is the
directory we wish to protect. If we had different directories
we want to protect with separate user files, we would
put a configured .htaccess file into each directory
we wanted to protect. After uploading the .htaccess
file, we then upload the member-passwords file into
directory. The reason we want to put the member-passwords
file into the /webusers/jsmith directory is because
only content in the public_html directory is accessible
from the internet. And by putting the password file
into home directory, jsmith (the directory before public_html),
we prevent people on the internet from being able to
download the password file.
Once these files have been uploaded, whenever a user
attempts to access any content or directories in the
members-only directory, they will need a valid user
name and password that matches what's in the members-passwords
file. If you need a FTP program for the purpose of uploading
your .htaccess and password file, you can download one
at the following web address:
creating .htaccess file in Microsoft Windows
If you are having issues creating a .htaccess in Microsoft
Windows, the following procedure may provide a solution:
1. Instead of creating a file called .htaccess, call
the something different like my-htaccess (with no period
in the front).
2. Once this "my-htaccess" file has been configured,
upload it to the directory to restrict access to.
3. Once this file in the correct directory on the server,
using your FTP client (like WS-FTP), rename the file
from my-htaccess to .htaccess.