Webpage Coding
Getting Started
#1 Example Webpage
#2 Adding CSS
Compatible CSS
#3 Adding Metadata
#4 JS Masked Email
#5 Sharing SSIs
#6 Support Testing
Password Access
Custom 404 Page
Next section...
JS Applications

Webpage Coding

Password Controlled Access

There are many reasons to wish to protect part of your website from general view. Perhaps it is a resource or service that you would like to charge money for, it may be a private member's area, the information may be of corporate value, there may be sensitive administration options and so on...

The Apache webserver's AccessFileName directive allows parts of the website to be password protected in this way.

In essence a file is created and located in the website directory to be protected. On receiving a request for any page within this directory, or any of those 'below' it the authentication request is passed back to the browser via the HTTP stream. This causes the browser to open its password dialogue box, and request a username and password. These are returned to the server, and if correct an authentication token is returned to the browser and the page is served. The token stays in effect until the browser window is closed. Without this token the server will not release any of the protected pages.

The protected area is known as a 'realm', it is possible to set up multiple areas within the website with different or even 'over-lapping' realms.

.htaccess Protection Example

The simplest way to explain this is by example...
A sub-directory has been created within this website /tech/webpage/secure and it contains a page with my bank details in it; /tech/webpage/secure/bankdetails.shtml Naturally I do not want to share this information with all and sundry and so I have chosen to password protect the directory.

For this example the username is fred, the password is sausage.

The first step is to create a text file within that directory and call it .htaccess note the leading dot on the filename. This file defines the authentication realm and gives the location of the required password file. The file contents are as follows:

AuthName "Bank Details"
AuthType Basic
require valid-user

AuthName defines the name of the 'realm', if other parts of the website are also protected and given the same AuthName, ie the same realm, then logging in here successfully will also gain access to these other locations without having to log in again.

AuthType determines what level of security is used.

AuthUserFile This tells Apache where to find the required password file.
[WEBSERVER_FILESYSTEM_PATH] is the full pathname to wherever the file is located on the webserver.
Note! If you are working under win32 Apache then this will need to be something like: c:/mywebsite/.htpasswd, note the forward slashes rather than back-slashes.

require This configuration method is very flexible and allows group as well as user based configuration.
Further details are beyond the scope of this website, for more a more detailed discussion of these and other options see the Apache notes at: »http://httpd.apache.org/docs/2.0/howto/auth.html

You will also need to create the required pasword file with at least one username and password in it. Your Apache installation should come with a number of utilities to do this.

From the command line navigate to your .../apache/bin directory and type: htpasswd -h This should give you all you need to create a new password file from the command prompt using that information.

You are advised not to put the password file under your document root directory, this will prevent anyone accessing the file via the website.

You may also need to make some configuration changes to your httpd.conf file. You will need to set the AccessFileName to tell Apache which files to treat in this way, and also to add another directive which will prevent certain files ever being served so intruders cannot snoop your password related files, thus:

AccessFileName .htaccess

<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
  Satisfy All

You will also need to add specfic directives to ensure that Apache will follow the .htaccess files in preference to the main configuration in httpd.conf

  AllowOverride AuthConfig

Note! This method works for all webpages and files within the scope of the directory containing the .htaccess file. But CGI programs do not have a 'location' in this way so this method does not work! Worse still the authentication details are not accessible to the CGI stream, your CGI programs have no way to tell if you have logged in or what username you have used. Needlesstosay there is a solution to this, but it is rather more advanced and will be dealt with later on and separately in the CGI programming section.

And that is about it for password controlled access, this is the basic method, for further refinements or troubleshooting see the Apache documentation that came with your installation or go online and check the online Apache documentation.

But we're not quite done yet, there is something else that .htaccess files can do too, error handling...

Show Style-Switcher...