The password protection and authentication systems offered by the Apache Web Server are probably the most important use of .htaccess files. Very easily, we can password protect a directory (or multiple) of a web site which require a username and password to access. The login procedure for these secure directories is handled automatically by the web browser using a pop-up login interface (you've probably seen these before). Passwords are also encrypted using one of the best encryption methods available which ensures login credentials are kept secure. In this section we will discuss the details of the .htaccess authentication system, we will explain how to set-up password protection, and a variety of helpful related information, we will also explain a variety of pre-made software which can be used to accomplish these tasks.
To begin, decide which directory you would like to password protect (note that all files and subdirectories within the directory will be password protected), then create a .htaccess file following the main instructions and guidance which includes the following text:
The first line tells the Apache Web Server the secure directory is called 'Member's Area Name', this will be displayed when the pop-up login prompt appears. The second line specifies the location of the password file. The third line specifies the authentication type, in this example we are using 'Basic' because we are using basic HTTP authentication and finally the fourth line specifies that we require valid login credentials, this line can also be used to specify a specific username, e.g. 'require user username' would require the username 'username'. You would use this if you were password protecting an administration area, rather than setting up a public password protected directory.
The location of the password file can be anywhere on your web server, the '/location/of/password/file/' must be replaced with the full/absolute path to the directory containing the password file, and the '.htpasswd' file must exist, this can however be called anything. We use the filename '.htpasswd' because the server will recognise the filename and will hide it from visitors. Note, some servers do require the password file be located in the same directory as the .htaccess file. It is also important to use a full/absolute server path for the location of the password file, a relative path, or any variation of a URL will not work.
The password file would contain something similar to the following text:
Now, you cannot just make up the password, on Unix/Linux servers they must be encrypted by the server, on Windows servers you do just use a plain text password as Windows does not offer any encryption methods. You can have any number of user records in your password file, one account per row, separating the username and password with a colon. ionix, offer a product called 'DirectoryPass' which is very useful for this task. DirectoryPass is a very simple Perl script which automates the process of setting up password protection, and more importantly creating the user accounts.
Setting up a password protected directory allows you to offer a member's area, offering a member's area on your web site is also a great way of tracking your web site visitors and a brilliant way of building a community feel on the web site. By asking visitors to register to access the content you are able to collect whatever information about the visitors that you require, whether it be the visitors country of residence, sex or professional status.
Such a system can be setup very easily these days thanks to the vast array of pre-made solutions available on the Internet, most of which are as easy to setup as the initial web site content. ionix offers two other solutions to this scenario which have proven very popular, one is called 'Locked Area' which has been available on the Internet for over eight years and is now in use on over fifty thousand web sites. This a very simple but effective member's area management system which is available completely free of charge, it can be used to set-up a secure member's area to store your content, it includes a registration system for your web site visitors to register for member's area access, and it includes a fantastic administration panel to help you manage accounts and email your members.
Another product offered by ionix is, 'OpenCrypt'. 'OpenCrypt' is ionix's enterprise solution for membership management and offers some impressive facilities including an extensive statistical analysis system and possibly the most flexible registration system seen in this market. Both products manage the security of your content and ensure that visitors cannot access the member's area without registering, 'OpenCrypt' also offers comprehensive facilities to prevent your visitors from sharing their login details which is especially important with high-demand web sites.
A variety of other solutions are available to accomplish this task, our advice would be to use a piece of software written in preferably Perl, or alternatively PHP. In our experience we would not recommend the use of software written in ASP or ColdFusion particularly when looking for security related software. We have listed a number of web sites which you will find useful when looking for similar solutions, namely Hot Scripts, CGI Resources and The CGI-Index.com.
Note, it is not possible to offer a log-out facility, the login details are cached in the web browser until the browser is closed, so visitors may leave the web site and return later in the session without being prompted to login again. When the browser is closed and re-opened the login details are deleted from the cache and the pop-up prompt will be displayed. The log-out facility has been discussed for some time, various methods have been suggested but none are reliable enough to be worth discussing.
Updated: 4th May 2008, 16th September 2015
"I am fairly new to html and I cant figure it out, can someone please explain this to me please?"
"I have a problem trying it. Whenever I put this line require valid-user into my .htaccess, the webpages in the folder .htaccess intends to protect gives Server Error upon access. Same thing happened for ErrorDocument blabla. If .htaccess contains it, error occurs. It is fine if the .htaccess only contains
AuthName Member's Area Name
I have .htpasswd in the same folder and those error pages."
"The .htpasswd file should be placed outside publicly accessible dirs, if at possible."
"An excellent article, thank you. Just what I needed."
"So you must either have a Windows server or use a program to do the whole thing for you? Are there no scripts/programs that could simply create an encrypted password (without managing the rest)?
Other than that I must say these guides for .htaccess are superb."