You are using a browser which is not compatible with CSS (for more information, see Tara's tutorial).
Because of this, it is possible that our website may not appear
correctly in your browser. We apologise for the inconvenience, and
recommend you upgrade your browser to one which is compatible with CSS.
For more information, please visit our Browser Upgrade page.
In order to have a complete understanding of what a .htaccess file is, I suggest that you also read our Custom Errors tutorial and our Control File Defaults tutorial.
1. Using .htaccess to password protect your site
By default, all of your site is available to everyone to read. It may be that you want to protect all or part of your site, so that only users with valid usernames and passwords can access it. This section shows you how to use .htaccess to do this. It assumes, once again, that you want the effect to apply to the whole site - see section 10 for a discussion on protecting part of your site. The .htaccess file specifies the extent of the protection - it does not contain the passwords. These are stored in a separate file called .htpasswd, which is covered in the next section.
You need at least four lines in .htaccess to set up password protection. These are:
AuthName "Realm name"
AuthType Basic
AuthUserFile /BASEDIR/.htpasswd
require valid-user
/BASEDIR/
is the path to your root directory.
AuthName
: Realm name is really just a piece of text that appears on the dialogue box asking for the password.
See what it does in practice and then you can decide what text you would like here.
AuthType
: Only Basic is possible at present.
Another mode (Digest) is planned, which will be more secure, but there appears to be no release date for this yet.
AuthUserFile
: The existence of the AuthUserFile line suggests that you can call the .htpasswd file something else.
That is true, but is best to call it .htpasswd, so that nobody can view its contents.
require
: This says that any user validated by password is allowed; further on in the tutorial we show how this can be varied.
As well as these entries in the .htaccess file, you will need to set up a .htpasswd file - see the next section for details.
2. Creating the .htpasswd file.
The format of this file is simple. It consists of a series of usernames and passwords. Each line holds one username and the single password associated with it, separated by a colon. Here is an example:
frances:WrU808BHQai36
john:iABCQFQs40E8M
lisa:FAdHN3W753sSU
You may think these passwords are rather unrealistic and difficult to remember - the reason for this is that they are encrypted for security. The .htpasswd file does not hold the actual passwords in clear text - it holds them in a coded form. If you are running Apache (at least on Unix) there is a command called htpasswd which will translate clear text passwords into this encrypted form. What many webmasters do is use an on-line tool to do this translation. You can find such a tool in our Online Tools section.
NB: Although the .htpasswd file requires the passwords in encrypted form, the user must enter them in clear text.
You now have all the information you need to password-protect your site!
3. Using .htaccess in lower level directories.
So far we have talked about .htaccess as though it is one file that must go in the root directory. Not true. You can, if you choose, put a different .htaccess file in every directory. If you put a .htaccess file in the root, it will affect the whole site - all directories and all files in all directories and sub-directories. If you put it in a lower-level directory, it will affect the files in that directory, and all the subdirectories in that directory and all the files in those subdirectories - and so on.
You might, for example, put a .htaccess in your root directory which tells the system how to treat files with a suffix of .php, and you might have a different .htaccess file in another directory allowing users to view a directory listing, and you might set up another .htaccess file in a different directory to password protect only a small area of your site.
4. Advanced facilities for password protection
Other things you can do with .htaccess to control access include:require user frances lisa
This would allow access to usersfrances
and lisa
(with a correct password) but not to user john
.
By using the same .htpasswd file, frances
and lisa
would not need a different password.
If you want to keep usernames out of the .htaccess file, you can instead refer to formal groups of users, like this:
require group women
AuthGroupFile /mygroups
mygroups
would consist of a series of lines defining groups, like this:
men:john
women:frances lisa
AuthName "Realm Name"
AuthType Basic
AuthUserFile /.htpasswd
Allow From All
<Files file.xxx>
Deny From All
</Files>
file.xxx
only.
AuthName
lines in each .htaccess file.
If you need to support a large number of users, simple .htpasswd text files will start to cause performance problems (because every file access in a protected area has to be checked for authentication by the server, even though the user only has to enter the password once. It is possible to use .dbm files instead, or to impleent your own password protection system without using .htaccess - but this is beyond the scope of this tutorial.
5. Further information on .htaccess
You can also use the .htaccess file to, for example, do sophisticated redirection, and to prevent people from downloading your images. For more information on this, see Bill's advanced .htaccess tutorial at webxtractions.com.
For definitive information on .htaccess and .htpasswd on the webserver Apache, see www.apacheweek.com/features/userauth.
For definitive information about how user authentication works on the Internet, see the historic HTTP/1.0 and HTTP/1.1 documents, available at info.internet.isi.edu/in-notes/rfc/files/rfc1945.txt and info.internet.isi.edu/in-notes/rfc/files/rfc2068.txt respectively.
For another introduction to setting up user authentication, see the NCSA Tutorial at hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html - but beware that not all of this applies to Apache.
This tutorial is built from the contributions of k0z (who used to call himself Geneeus), Bill, Kjell, Choon, and Glenn. Other information derived from the Apache and Apache Week websites.
This document edited by Bill, 4 Nov. 2000. Screenshot added by Daniel, 25 Jun. 2002.
© 4WebHelp and Rod
http://apps.mathieu-rodic.com/Encryption/.htpasswd-Generator
Protecting individual files
You may wish to protect a single file in a directory. To do this, set up the .htaccess file like this:
AuthName "Realm Name"
AuthType Basic
AuthUserFile /.htpasswd
Allow From All
<Files file.xxx>
Deny From All
</Files>
This would password protect file.xxx only.
Shouldn't there be a require directive in there?
What about an Order directive?
How does this work?
Thanks
I tried to install .htaccess
ok
But in win it wount accept
.htpasswd.
Why?
I get wrong peep.???
Place the .htpasswd anywhere, where ever you place it make your you place the server path next to AuthUserFile in the .htaccess path so the htaccess file will look something like
AuthUserFile /hsphere/local/home/.htpasswd
The directory which you would like to password, place the .htaccess file in that directory and your set to go.
To find out the server path login to your hosting package control panel and click on Domains and it should tell you in there could be named "HTML Directory Name"
For instance, The Password File. Where does it go and how is it implemented? I think more information on the basic setup could have been offered instead of a lot of conversation about the different way to use passwords & who gets in.
On a Scale of 1-10 I have to give this tutorial a 5 only because it feel short of fully explaining step by step instructions as it promised in the first few lines.
START > CONTROL PANEL > FOLDER OPTIONS > VIEW (tab)
Then UNTICK "hide extensions for known file types"
Then you will be able to change filname.txt to whatever you want! (including .htaccess)
Windows XP by default hides the extention for .txt docs, so even if you think you have changed the file extention, you may well have just created a file called ".htacess.txt" without knowing it.
Hope that helps someone.
After reading this it took me all of about 10 mintes to implement and test - THANK YOU!
A couple of pointers for Windows users
1. You can use Notepad to create the files and save them to your local drive with the .txt extension
2. Use FTP to upload them and use the rename function to remove the .txt extension.
Thats it!
Chuck
but
i cant make them work just like in any other tutorials. the default index page shows up, tried to disable them, but a ftp like environment shows up showing all files on the directory.
can anyone tell me what am i doing wrong?
(like home/domain/public_html/) or whatever.
(in winXP: start->exec->cmd)
then:
edit .htaccess
you'll get a blue screen... Now: file->save
and then exit.
You now have the file in your home dir.
You can now manually move it
Grtz
Sandr
Add a new comment