Securing Directories With htaccess - The .htaccess file explained

(Page 2 of 4 )

Htaccess is a username/password authentication scheme that is triggered whenever a certain directory/file on a htaccess aware web-sever (such as Apache) is requested. Htaccess is a plain-text authentication method, which means that your username and password are sent across the net as plain, un-encoded text. Although there is a slight change that someone using a packet sniffer could sniff the appropriate packets, plain-text authentication is just as safe as starting a telnet or ftp session.

To secure a directory on your web server using .htaccess, you create two files:

1. .htaccess: This file stores a list of preferences and details relating to the authentication methods and permissions of the current directory.
2. .htpasswd: This file stores an encrypted list of username and password combinations which are used by the Apache server in conjunction with the .htaccess file to grant/deny permission on a per session basis (I say “per session”, because most browsers automatically remember your login details for the length of a single session. This means that you won’t have to enter them for every page request. The browser will do it for you automatically).

It is important to remember that a .htaccess file that resides in /dir1 will also protect any sub-directories of /dir1, such as /dir1/sub1, unless there is a .htaccess and .htpasswd file located in /dir1/sub1 as well. If there is, then they will override the parent .htaccess and .htpasswd files. In other words, the htaccess authentication scheme is spawned hierarchically by default.

The .htaccess file acts like a configuration script, and provides the Apache server with some details and options whenever authentication is required. Create a new file named .htaccess on your local machine. Enter the following data into the .htaccess file:

AuthUserFile /www/htdocs/secure/.htpasswd

AuthGroupFile /dev/null

AuthName My Secure Directory

AuthType Basic

<Limit GET>

require valid-user

</Limit>

As you can see, our .htaccess file is separated into two sections: The authentication request details section, and the user permissions section. Lets break down each section.

AuthUserFile /www/htdocs/secure/.htpasswd

On the first line, we have a reference to what is known as a .htpasswd file. This file stores a list of username/password combinations which Apache uses to validate each login attempt (more on this file soon).

In our example above, our .htpasswd file is located in the virtual directory /www/htdocs/secure. You should change this to match the virtual path of the directory that you want to protect.

AuthGroupFile /dev/null

On the second line, we have a reference to an authentication group file. This file is used to separate users into groups based on a common interest or focus, such as students and teachers, for example. We will not be using a group file, so we specify /dev/null, which tells Apache that one doesn’t exist.

AuthName My Secure Directory

On the third line, we set the authentication name. The authentication name can be anything you like and is displayed as the “Realm” when the users authentication details are requested, as shown below:



AuthType Basic

The AuthType variable sets the authentication type for the request. Because we are using basic web-based authentication, we simply set it to Basic. Other values include PGP and Digest.

The next section of our .htaccess file, the users permissions section, sets the request and response methods that an authenticated user has access to:

<Limit GET>

...

</Limit>

In our .htaccess file, we allow authenticated users access to access any part of our site where the GET method is available (Basically, users can view a page, but they can’t fill out any forms, etc). Other limit values include PUT and POST.

<Limit GET>

require valid-user

</Limit>

Between the <Limit> and </Limit> tags, we can either list a number of users who will have access to our protected directory using the “require user” keywords, such as:

require user joe

require user fred

require user jane

Or, (as we have done our .htaccess file) we can simply grant access for any valid user:

require valid-user

That completes the description of a basic .htaccess file. When an un-authenticated user visits our protected directory, the .htaccess file is loaded and parsed by Apache, and an authentication dialog box is shown. Now that we know how to set the options for an authentication requesuest, it’s time to actually add users to our authentication list.

This can be done using the standard htpasswd program.

Next: The .htpasswd file explained >>
 

More Apache Articles
More By Hassan Syed

Comments On: Securing Directories With htaccess

>>> Be the FIRST to comment on this article!