Using Apache htaccess to password protect documents

Introduction

Most web sites are run on servers which use the Apache software. This offers some very useful features for websites. For example, it allows you to password protect access to files in any directory – if the user does not know the password they cannot view the pages! It is very easy to add to your website with just 2 files (note both the files start with a dot).

.htaccess

Before letting any user access a file, Apache checks to see if this file exists in the directory with the file you are trying to access. If it exists, then it will use the values in the file. Here is a simple example from our website.

order allow,deny

allow from all

require valid-user

Authname "Password access required."

Authtype Basic

AuthUserFile /var/www/vhosts/idrsolutions.com/files/Cust/.htpasswd

This example does TWO things. Firstly it defines the access rules for this location. All files in the directory where the file is found can only be accessed with a login and password. Secondly, it defines that this will be found in a file /var/www/vhosts/idrsolutions.com/files/Cust/.htpasswd – this does not have to be the same directory but often is to simplify administration.

In order to use this feature, you need to know how the real paths on the server relate to your website. On our system, Apache maps our website http://www.idrsolutions.com to /var/www/vhosts/idrsolutions.com/ so anything in http://www.idrsolutions.com/files/Cust will be protected. (Note that this is often a Unix server so assume all values are case sensitive). You will need to ask whoever maintains your website for this information (although it is often /var/www/vhosts/mySite/).

.htpasswd

This file contains the login and passwords. It consists of a set of lines with

loginName: password (encrypted).

So when I added the user mark with the password test to my file, I added a line

mark:$6$7X9OefNE$3JxPhSS6gDWew1QZAJqS2JlUNt2Ly/r7uIMKpRkc1dsgRpaEEeYsiTYKDuk6.c9XjIFEZxXdgGTtQNhur2KyW/

A tip for when you add a user is to keep the entries in alphabetical order. This makes it much easier to manage.

When I try to access anything in this directory, a password box will popup and I will need to type in the username mark and the password test. If I do not, I will be told I cannot access the page.

The encrypted password is easily generated by a small php script on your website. I have this small file htpass.php on my website to generate the passwords for me.

<?php
 
$ht_pass = '';
$pass = '';
$usr = '';
 
if (isset($_POST['password']))
if($_POST['password']!= "" AND $_POST['user']!= "" ) {
    $usr = $_POST['user'];
    $pass = $_POST['password'];
    $ht_pass = crypt($pass);
}
print "<html><head><title>Password Encryption</title></head><body>
<form method=post action='htpass.php'>
<font size=5><b>.htpasswd File Password Encryption</b></font>
<br><br>Enter Username<br>
<input name=user value=$usr size=20>
<br><br>Enter Password<br>
<input name=password value=$pass size=20>
<br><br><input type=submit name=submit value='Encrypt Now'>
";
if (isset($_POST['password']))
    if($_POST['password'] != "" AND $_POST['user'] != "" ) {
        print "<br><br>.htpasswd File Code<br>$usr:$ht_pass";
    }
print "</form></body></html>";
?>

This looks like this when I open the link in my web browser.

apache password

 

Note that every time you rerun it, you will get a different (and still valid key to use).

Once you add this file to .htpasswd, the user will be able to access content in the directory (until you remove the line from the .htpasswd file).

Next steps

So there you have a very simple and easy way to control access to your website content based on password. If you would like to explore additional options or find out more details, I recommend the Apache website tutorial.

This article is part of a series of articles with suggestions for enhancing your HTML5 content. You can also read about Adding Annotations with Annotator.js, Adding Fullscreen using the JavaScript FullScreen API, Optimising Images using PNGQuant, and Measuring Content Performance with Google Analytics.

If you’re a first-time reader, or simply want to be notified when we post new articles and updates, you can keep up to date by social media (TwitterFacebook and Google+) or the Blog RSS.

Ebook Page Link

The following two tabs change content below.

Mark Stephens

System Architect and Lead Developer at IDRSolutions
Mark Stephens has been working with Java and PDF since 1999 and has diversified into HTML5, SVG and JavaFX. He also enjoys speaking at conferences and has been a Speaker at user groups, Business of Software, Seybold and JavaOne conferences. He has a very dry sense of humor and an MA in Medieval History for which he has not yet found a practical use.

Related Posts:

Markee174

About Mark Stephens

Mark Stephens has been working with Java and PDF since 1999 and has diversified into HTML5, SVG and JavaFX. He also enjoys speaking at conferences and has been a Speaker at user groups, Business of Software, Seybold and JavaOne conferences. He has a very dry sense of humor and an MA in Medieval History for which he has not yet found a practical use.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>