.htaccess
From Software By Jeff
HTAccess Authentication Tutorial
This tutorial covers web-based user authentication using Apache's htaccess. Web-based authentication denies web access to visitors who do not give a valid sername and password. This feature allows webmasters to restrict access to certain directories. The usernames and encrypted passwords are kept in a webmaster-maintained file. Visitors need not have an account on the web server to use Web-based access, just a name and password combination stored in a file on the web server.
Difficulty: Easy to Medium
You will need the following basic skills:
- Ability to log-in to the web server
- Ability to use a text editor
- Working knowledge of paths and basic filesystem navigation (cd, mkdir, etc.)
The following is an example use of the .htaccess file. Let's assume that it resides at /pathtowebdir/somepath/.htaccess to protect the /somepath directory in the web service.
AuthUserFile /pathtowebdir/somepath/.htpasswd AuthGroupFile /dev/null AuthName Password Required AuthType Basic require valid-user |
The .htaccess file affects the directory in which it is placed, so in this example, any visitor requesting http://somewhere.com/somepath/ would be presented with an authentication request.
The .htaccess file also affects directories recursively below it. Therefore, requesting http://somewhere.com/somepath/evenmore/ would yield the same authentication request unless /pathtowebdir/somepath/evenmore had a .htaccess file of its own.
The first line, starting with AuthUserFile, tells the webserver where to find your username/password file. We'll create that file in a minute. For now, change the AuthUserFile line as necessary for your use.
Notice that the AuthName in the example, "Password Required," is used in the authentication request. This is presented to the user when they first request access to the directory.
Using your favorite text editor, create a file similar to the example, replacing AuthUserFile and AuthName with values for your situation. Be sure to name the file .htaccess.
Now that we understand the basic .htaccess model, how can we specify who is allowed? We'll create an .htpasswd file named in the AuthUserFile line above.
To create an .htpasswd file, go to the directory you specified in AuthUserFile. In the example, this is /pathtowebdir/somepath. Then use the htpasswd program with the -c switch to create your .htpasswd in the current directory.
Type htpasswd -c.htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again. You will not see the password when entering it. For example:
user@server:/pathtowebdir/somepath# htpasswd -c .htpasswd username Adding password for username. New password: <I>password</I> Re-type new password: <I>password</I> |
To add more users in the future, use the same command without the -c switch: htpasswd .htpasswd bob will add username "bob" to your .htpasswd file.
To delete users, open the .htpasswd file in a text editor and delete the appropriate lines. The file created as above will look like the following:
username:v3l0KWx6v8mQM bob:x4DtaLTqsElC2 |