.htaccess and .htpasswd

Today I’ve been struggling with .htaccess and .htpasswd in order to password-protect a directory on a site I’ve been working on.

I always find that when I Google for help I get sites that kind of help but not 100% so here’s my problem and solution.

The Problem

I have an admin area that needs protecting and HTTP-authorisation is the most secure; this needs .htaccess and .htpasswd files to be setup accordingly. I created .htaccess with the values:

AuthType Basic
AuthName "Authenticated Users only"
AuthUserFile /var/www/html/folder/subfolder/.htpasswd
require valid-user

Then I needed to create the .htpasswd file and every website I found through google told me I needed to telnet/ssh into my web account and type some commands. I don’t have the option to do that so, I had to create the .htpasswd file as a text file on my pc then upload it via FTP. After much deliberating and googling I found ahtpasswd password encryption tool. Just type in what you want as the username and password and it will convert it to unix encoding then just copy the text into a text file and save as .htpasswd, upload both to your server and voila.

FTP woes

When I looked at the files on my FTP server just after uploading I could see them them, but if I disconnected and reconnected just a few minutes later. However my technician informed me

by default unix hides files starting with a . you need to use ls -la to see them

The other quickly resolved problem revolved around the fact that by default .htaccess is disabled in apache, but the technician re-enabled it and all was fine.

Update (17/09/2005)

It’s probably best you place the .htpasswd file somewhere away from the main site directory e.g. somewhere a hacker can’t just type in www.yoursite.com/directory/.htpasswd and get your passwords! The example I’ve used of /var/www/html/folder/subfolder/.htpasswd shouldn’t be copied and is very insecure. A much better solution would be /var/.htpasswd.

You should also setup Apache so it doesn’t allow people to see your .htaccess nor .htpasswd files.

Comments are closed.