- Perhaps you are working on a new website for a client, and you want your client to be able to see your work using their own browser over the internet, but you are not ready to publish the site just yet, and want to prevent anyone from stumbling upon the new web site. Use htaccess to allow your customer to simply type in a password, and only they will have access to see the new web site.
- Your website provides both free and paid for graphical images. Place the paid for graphics in a special password protected directory, and email your paying customers the password. Use htaccess to secure the directory that contains the paid for graphics.
- Your website has some maintenance functions, such as uploading a newsletter to the site, that should be accessible only to those individuals that maintain your site. Use htaccess to allow only those people with the password to access those maintenance screens and functions.
Here is a live example of using .htaccess. Go to the following URL and type user name of "guest" and password of "shop". This is an inventory maintenance program for an online shopping store. Only users who maintain the store can enter inventory items. A perfect application for using .htaccess!
Click here to see live example - http://www.tdavisconsulting.com/tdcw/prodmaint/k_catmaint.cgi>
One other thing to note about htaccess is that it is an Apache function, not a Microsoft function. So, you are not going to be able to use this if your hosting service or your web site is on an NT or Windows XP, server. Also, htaccess is just an ASCII file, so all you need to implement htaccess protection is a simple text editor like Notepad. You of course will need access to your server in order to upload the htaccess files.
Read on to see how!
How do I do it?
The first step is to open up Notepad or any other text editor, and create two files. The first file will contain the following lines. Type them just like you see here, except for the path information and user name. The path is the location that you will store the password, and the user name is the name that you will assign to the person(s) that you are giving access to. In this example, the path is /opt2/user/httpd/auth/.htpasswd. This is the exact location that you will put the password file (the 2nd text file that you will create). The location should be above your root directory so as to NOT be web accessible! The user name in this example is guest, but you can make this any name that you want. You can also have more than one if you want to give multiple user names and passwords.
1. Open notepad and type the following (anything italicized must be changed):
require user guest
2. Now save the text file that you just created and name the file x.htaccess. If you are using Notepad, then the .txt will be automatically added, and you will later have to rename the file. The extension of the file is .htaccess, and the file will have no name. This is confusing, but it is how it works. To get around a few problems with having a file named .htaccess (with no name, just an extension) I simply name the file x.htaccess for now, and rename the file later.
3. Now you have to assign a password. The password has to be encrypted. Fortunately, there are web site tools that helps you do this (an example URL is listed below). Go to the web site and type in the user name and the password that you want to assign (see figure 1). You will be given a encrypted password that you will key into the next text file you create (see figure 2, I entered a user name of tony, and password of tony, and the resulting encrypted password is displayed). The encrypted password and user name are exactly what I will type into my 2nd text file, that will be named .htpasswd.
4. Open notepad again, and type the resulting line from the encryption utility above.
5. Now save the text file that you just created and name the file x.htpasswd. Keep in mind that we will later have to rename the file because the file name must actually be .htpasswd. Naming the file x.htpasswd is simply a way to get around the problem of naming the file without a name (the same situation that we had with the .htaccess file).
6. Now you are ready to upload your two text files to your web server. To do this use any FTP utility such as WS_FTP32 or FTP Voyager. Your web hosting company may also have FTP tools available for you to use. The .htaccess file must be put in the same directory as the directory to be secured. The .htpasswd file can be put in any directory (remember that you had to specify the actual path) that you want; however, remember that it is more secure to put the file in a directory ABOVE the root directory.
Don't forget to rename your files to .htaccess and .htpasswd. You can do this either before or after you upload the files to the web server. And make sure when you upload the files, that you move them as ASCII files and not Binary.
One more thing about security: you should change the read authority of the .htaccess file to 644 or (RW-RR--). Use CHMOD to do this. Your web hosting company should have a utility to allow you to CHMOD your file. To learn more about CHMOD, go to http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?chmod.
Test the results by simply going to your directory using any browser. You should see a window similar to the one below. For example, if your web site is www.mywebsite.com, and the directory that you wanted to secure is /myimages, then type the following in your browser: http://www.mywebsite/myimages. If everything worked correctly, then you should see the following window. Now type in the user name and password that you have assigned, and you should be taken to the directory. Try entering an invalid user name and/or password too. You want to test for both positive and negative results.
- Create a text file named .htaccess
- Generate an encrypted password
- Create a text file name .htpasswd
- Upload the two text files to your web server
- The .htpasswd file goes in a directory above your root directory
- The .htaccess file goes in the directory that is to be password protected
- Change the CHMOD of .htaccess file to 644
- You are done!
There are other things that .htaccess can do for you. Do a little research to find out what they are. There is a ton of information out there about .htaccess. Or, wait for the next article from T. Davis Consulting Inc.
More things you can do with .htaccess:
- Create default error document
- Enable SSI via htaccess
- Deny users by IP
- Change your default directory page
- Prevent hotlinking of your images
- Prevent directory listing