MAIN MENU

Password Protecting a Web Directory


Password Protect Web Directories The files .htaccess and .htpasswd are used to password protect web directories.

.htaccess

The .htaccess file contains a series of commands and is used by the web server to control operations on the website. This file is a plain text file, and is named exactly .htaccess (just the extension with no name in front, and all lowercase). Each line in the file usually has one command, and the file needs to be uploaded to the website as a TEXT file and not BINARY. The file is placed in the directory you want to protect.

Prevent the viewing of .htaccess by users by entering these commands in .htaccess: 
      
<Files .htaccess>
  order allow,deny
  deny from all
</Files>

.htpasswd

The .htpasswd file contains the username and password the user has to enter, and is placed on a single line. This file is a plain text file.

The username is entered first, then a colon, and then the password.
The password is entered in an encrypted format.

See the PHP program below for encrypting the password.


If possible, this file should be placed above the root directory of your website where it is not web accessible. However since this is not possible with every hosting account, you can place it in the same directory as the .htaccess file.

Here is an example record in the file:
joeuser:dGy4V.NiPAODg

joeuser = username
dGy4V.NiPAODg = encrypted password for the word testing

The user would enter joeuser for the username, and testing for the password when prompted by the server (for this example).

Here is a sample of the commands to enter into the .htaccess file: 

AuthUserFile /home/user/public_html/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Area"
AuthType Basic
require valid-user
The first line has the location of the .htpasswd file on the web server. This location will be different for each situation. The location is the 'Absolute Path' of the file, and it may not be easily available.

Here is an example:

The web site file:
http://www.products.com/catalog/.htaccess

may have an absolute path of:
/homepages/users/htdocs/products/catalog/.htaccess

So how do we find the absolute path?

See the PHP Example below


The third line has the message that will be displayed to the users when they try to access files in the directory - in this case "Restricted Area".


PHP Program to get the Absolute Path


  1. Create a PHP program with the following commands – name it anything you like, but have a .php extension (example: getpath.php). 

    <?php
  echo "Absolute Path is: " . getcwd() . "\n";
?>

  2. Upload this file through FTP to the directory on the website you need information for.
  3. Access this file in a browser, and it will display the Absolute Path. Example: http://www.products.com/catalog/getpath.php
  4. When finished, delete this file from the website to avoid any security risk.


PHP program for Encrypting Passwords

Note: This program only works with Unix or Linux based Web Servers

  1. Create a PHP program with the program commands below – name it anything you like, but have a .php extension (example: htpasswd-generator.php).
  2. Upload this file through FTP to your website.
  3. Access this file in a browser.
    Example: http://www.products.com/htpasswd-generator.php 

    <!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>.htpasswd Enryption Generator</title>
<meta name="description" content=".htpasswd Enryption Generator" />
</head>

<body>

<?php
if (isset($_POST[password])) {
  $password = $_POST[password];
  $passwordenc = crypt($password, base64_encode($password));
  echo "<br />Original Password: " . $password . "</br/>";
  echo "Encrypted Password: " . $passwordenc . "</br/></br/>";
}
?>

<h1>.htpasswd Encrypter</h1>
<br />

<form method="POST" action="<?php echo $PHP_SELF; ?>" >
  Enter Password: <input type="TEXT" name="password" size="25">
 (then press Enter)
</form>

<br />

</body>
</html>


pdfPDF Version