About Password Protection
Have you ever needed to password protect a portion of your website? With .htaccess, you can. This handy application allows you to limit access to your web files by setting up a password-protected directory. Any files you wish to secure are then be placed within that directory.
To see how password protection works, try the following demonstration.
At the NAME prompt, type secret.
At the PASSWORD prompt, type word.
Enter Password-Protected Directory
To set up this demo, we created the following files:
To learn how to create these files yourself, follow the step-by-step instructions provided below.
Step 1: Gather your tools
First, you'll need to make sure you have the right tools:
- A shell account
- Experience using a secure shell application, such as Secure Shell SSH or Terminal (see recommended software).
- Familiarity with basic UNIX commands
Step 2: Create the .htaccess file
1. Using a text editor, such as WordPad or TextEdit, create a new file and name it .htaccess.
(TIP: Don't forget the period in front of the name. Also, use a text editor to create the files. Word processing programs can add invisible characters to the code, which will break the .htaccess file.)
2. Place the following lines in the .htaccess file, replacing the x's with the path to your secure directory:
AuthUserFile /www/html/unlv/xxxxx/.htpasswd AuthType Basic AuthName 'Password-Protected Directory' <LIMIT GET> require valid-user </LIMIT>
AuthUserFile: This is the FULL path to the .htpasswd file (which you will create in Step 3). To determine the path to the .htpasswd file you are about to create, do the following:
Using your Secure Shell application, log in and navigate (cd command) into the directory you wish to secure.
At the tarantula% prompt, type pwd. This will give you the full path to your directory.
AuthName: The AuthName is displayed when the password dialog box is presented to the user. It can say anything you like. Generally, it should be a short description of the directory the user is about to enter. If AuthName is not specified, the default "ByPassword" is used.
3. Save the .htaccess file in the directory you wish to password protect.
4. Set the file permissions to 644 (chmod command).
Step 3: Create the .htpasswd file
1. Log in via your secure shell program.
2. Navigate (cd command) [unix.html] to the secure directory.
3. Create the password file by typing the following command at the tarantula % prompt:
htpasswd -c /www/html/unlv/xxxxx/.htpasswd username
TIP: The x's represent the full path to the .htpasswd file, and the -c option tells .htpasswd to create a new password file.
4. Add additional users to the password file with the following:
htpasswd /www/html/unlv/xxxxx/.htpasswd username
5. Set the file permissions to 644 (chmod command).
Step 4: Test Your Site
Test your website by trying to access the secure area with your web browser. If you've set everything up correctly, you should get the password dialog box. If the page opens without asking for a password, check the following:
- Is the text in your .htaccess file correct? Any typos will break .htaccess.
- Is the path to the .htpasswd file correct in your .htaccess file?
- Are the permissions set to 644 on .htaccess and .htpasswd?
- Did you upload the file .htaccess file as a text (ascii) file? If you uploaded the file as binary, .htaccess will break.
- You got the password dialog box once, but now it's not working? This is normal — your web browser remembers the login/password during your session, so you won't be prompted for the password again unless you quit your browser and reopen it.