The
HTAccess Authentication/Password
Protection tutorial covers web-based user authentication using a .htaccess file.
Web-based authentication denies web access to visitors who do not give a valid
username and password. This password protection feature allows webmasters to
restrict access to certain directories. The usernames and encrypted passwords
are kept in a webmaster-maintained file. This is not the same as ordering
another FTPonly Account. Visitors do not need to have a MidAir Design account
to use Web-based access -- the mechanisms are separate and unique.
Difficulty: Easy to Medium
You will need the following basic skills:
Here
we go!
The following is an example use of the .htaccess file. Let's assume that it
resides at /mnt/web/guide/somewhere/somepath/.htaccess
AuthUserFile /mnt/web/guide/somewhere/somepath/.htpasswd AuthGroupFile /dev/null AuthName "Somewhere.com's Secret Section" AuthType Basic <Limit GET POST> require valid-user </Limit> |
The
.htacce ss file affects the directory in which it is placed, so in this
example, any visitor requesting <URL:http://somewhere.com/somepath/>
would be presented with an authentication request.
The .htaccess file also affects directories recursively below it. Therefore,
requesting <URL:http://somewhere.com/somepath/evenmore/> would
yield the same authentication request unless ~/somepath/evenmore had
a .htaccess file of its own.
The first line, starting with AuthUserFile, tells the webserver where
to find your username/password file. We'll create that file in a minute. For
now, change the AuthUserFile line as necessary for your use.
Notice that the AuthName in the example, "Somewhere.com's Secret
Section," is used in the authentication request. Although the quotes are
not neccesary in some older versions of Apache, we recommend using them to avoid
future incompatibility.
Using your favorite text editor, create a file similar to the example, replacing
AuthUserFile and AuthName with values for your situation. Be sure
to name the file .htaccess. (You can create the file locally and
FTP it up to the server or you can log into the server via telnet
and create the file using pico or joe)
Now that we understand the basic .htaccess model, how can we specify who is
allowed? We'll create an .htpasswd file named in the AuthUserFile
line above.
To create an .htpasswd file, login to the server via telnet
go to the directory you specified in AuthUserFile. In the example, this
is /mnt/web/guide/somewhere/somepath. Then use the htpasswd
program with the -c switch to create your .htpasswd in the current
directory.
Type htpasswd -c .htpasswd username to create the file
and add "username" as the first user. The program will prompt you
for a password, then verify by asking again. You will not see the password when
entering it here:
wwwX:/mnt/web/guide/YOURDOMAINNAME/somepath# htpasswd -c .htpasswd username Adding password for username. New password: password Re-type new password: password |
To add more users in the future, use the same command without the -c
switch: htpasswd .htpasswd bob will add username "bob"
to your .htpasswd file.
To delete users, open the .htpasswd file in a text editor and delete the appropriate
lines:
username:v3l0KWx6v8mQM bob:x4DtaLTqsElC2 |
To learn more about htaccess's capabilities, check out NCSA's site.