Password Protecting Pages

Password File

You can password protect a portion or all of your website. Two files are required for this, a password file containing usernames and encrypted passwords, and an ".htaccess" file.

The password file should be located outside of web accessible space because if someone can download the file, they can run a password guessing program like Crack on it and find many poorly chosen passwords. The Apache web server needs to be able to access this file but it should not be in a place where it can be served to the public.

To create this file, use htpasswd. If the password file doesn't yet exist, type:

     htpasswd -c filename user

This will create a file named filename with the first user and encrypted password.

To add additional users to an existing password file type:

     htpasswd filename user

To delete a user you can either edit the file and just delete the line in question, or you can use htpasswd to do it:

     htpasswd filename -D user

The ".htaccess" File

The second file required to password protect a portion of your web site is a file called ".htaccess". This is placed in the directory to be protected. This file tells the web server where to find the ".htpasswd" file and what form of authentication to apply. This example shows how to use password authentication to protect a portion of your web space. It is also possible to limit access using groups, by domain name, or by address space. The format of the ".htaccess" file is:

     AuthUserFile /home/login/.htpasswd
     AuthGroupFile /dev/null
     AuthName ByPassword
     AuthType Basic

     <Limit GET PUT POST>
     require valid-user
     </Limit>
Eskimo North • P.O. Box 55816 • Shoreline, WA 98155 • Tel: 206-812-0051 • Toll Free: 800-246-6874