Webpage Coding
Password Controlled Access
There are many reasons to wish to protect part of your website from general view. Perhaps it is a resource or service that you would like to charge money for, it may be a private member's area, the information may be of corporate value, there may be sensitive administration options and so on...
The Apache webserver's AccessFileName directive allows parts of the website to be password protected in this way.
In essence a file is created and located in the website directory to be protected. On receiving a request for any page within this directory, or any of those 'below' it the authentication request is passed back to the browser via the HTTP stream. This causes the browser to open its password dialogue box, and request a username and password. These are returned to the server, and if correct an authentication token is returned to the browser and the page is served. The token stays in effect until the browser window is closed. Without this token the server will not release any of the protected pages.
The protected area is known as a 'realm', it is possible to set up multiple areas within the website with different or even 'over-lapping' realms.
.htaccess Protection Example
The simplest way to explain this is by example...
A sub-directory has been created within this website
/tech/webpage/secure and it contains a page with my bank details
in it; /tech/webpage/secure/bankdetails.shtml
Naturally I do not want to share this information with all and sundry
and so I have chosen to password protect the directory.
For this example the username is fred, the password is sausage.
The first step is to create a text file within that directory and call it
.htaccess note the leading dot on the filename. This file
defines the authentication realm and gives the location of the required
password file. The file contents are as follows:
AuthType Basic
AuthUserFile [WEBSERVER_FILESYSTEM_PATH]/.htpasswd
require valid-user
AuthName defines the name of the 'realm', if other parts of the website are also protected and given the same AuthName, ie the same realm, then logging in here successfully will also gain access to these other locations without having to log in again.
AuthType determines what level of security is used.
AuthUserFile This tells Apache where to find the required
password file.
[WEBSERVER_FILESYSTEM_PATH] is the full pathname
to wherever the file is located on the webserver.
Note! If you are working under win32 Apache then
this will need to be something like: c:/mywebsite/.htpasswd,
note the forward slashes rather than back-slashes.
require This configuration method is very flexible and
allows group as well as user based configuration.
Further details are beyond the scope of this website, for more a more
detailed discussion of these and other options see the Apache notes
at: »http://httpd.apache.org/docs/2.0/howto/auth.html
You will also need to create the required pasword file with at least one username and password in it. Your Apache installation should come with a number of utilities to do this.
From the command line navigate to your .../apache/bin directory and
type: htpasswd -h This should give you all you need to create
a new password file from the command prompt using that information.
You are advised not to put the password file under your document root directory, this will prevent anyone accessing the file via the website.
You may also need to make some configuration changes to your httpd.conf
file. You will need to set the AccessFileName to tell
Apache which files to treat in this way, and also to add another directive
which will prevent certain files ever being served so intruders cannot snoop
your password related files, thus:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
You will also need to add specfic directives to ensure that Apache
will follow the .htaccess files in preference to the main configuration
in httpd.conf
...
AllowOverride AuthConfig
...
</Directory>
Note! This method works for all webpages and files within the scope of the directory containing the .htaccess file. But CGI programs do not have a 'location' in this way so this method does not work! Worse still the authentication details are not accessible to the CGI stream, your CGI programs have no way to tell if you have logged in or what username you have used. Needlesstosay there is a solution to this, but it is rather more advanced and will be dealt with later on and separately in the CGI programming section.
And that is about it for password controlled access, this is the basic method, for further refinements or troubleshooting see the Apache documentation that came with your installation or go online and check the online Apache documentation.
But we're not quite done yet, there is something else that .htaccess files can do too, error handling...