Home arrow Apache arrow Page 2 - Securing Directories With htaccess
APACHE

Securing Directories With htaccess


If you have a web site that contains sensitive documents such as test results, scripts, or an administration section, then you need directory security to stop unauthorized people from accessing certain parts of your site. In this article, Hassan will show you how to setup htaccess security for folders on your Apache web server.

Author Info:
By: Hassan Syed
Rating: 4 stars4 stars4 stars4 stars4 stars / 5
December 03, 2001
TABLE OF CONTENTS:
  1. · Securing Directories With htaccess
  2. · The .htaccess file explained
  3. · The .htpasswd file explained
  4. · Conclusion

print this article
SEARCH DEVARTICLES

Securing Directories With htaccess - The .htaccess file explained
(Page 2 of 4 )

Htaccess is a username/password authentication scheme that is triggered whenever a certain directory/file on a htaccess aware web-sever (such as Apache) is requested. Htaccess is a plain-text authentication method, which means that your username and password are sent across the net as plain, un-encoded text. Although there is a slight change that someone using a packet sniffer could sniff the appropriate packets, plain-text authentication is just as safe as starting a telnet or ftp session.

To secure a directory on your web server using .htaccess, you create two files:

  1. .htaccess: This file stores a list of preferences and details relating to the authentication methods and permissions of the current directory.
  2. .htpasswd: This file stores an encrypted list of username and password combinations which are used by the Apache server in conjunction with the .htaccess file to grant/deny permission on a per session basis (I say “per session”, because most browsers automatically remember your login details for the length of a single session. This means that you won’t have to enter them for every page request. The browser will do it for you automatically).
It is important to remember that a .htaccess file that resides in /dir1 will also protect any sub-directories of /dir1, such as /dir1/sub1, unless there is a .htaccess and .htpasswd file located in /dir1/sub1 as well. If there is, then they will override the parent .htaccess and .htpasswd files. In other words, the htaccess authentication scheme is spawned hierarchically by default.

The .htaccess file acts like a configuration script, and provides the Apache server with some details and options whenever authentication is required. Create a new file named .htaccess on your local machine. Enter the following data into the .htaccess file:

AuthUserFile /www/htdocs/secure/.htpasswd

AuthGroupFile /dev/null

AuthName My Secure Directory

AuthType Basic

<Limit GET>

require valid-user

</Limit>


As you can see, our .htaccess file is separated into two sections: The authentication request details section, and the user permissions section. Lets break down each section.

AuthUserFile /www/htdocs/secure/.htpasswd

On the first line, we have a reference to what is known as a .htpasswd file. This file stores a list of username/password combinations which Apache uses to validate each login attempt (more on this file soon).

In our example above, our .htpasswd file is located in the virtual directory /www/htdocs/secure. You should change this to match the virtual path of the directory that you want to protect.

AuthGroupFile /dev/null

On the second line, we have a reference to an authentication group file. This file is used to separate users into groups based on a common interest or focus, such as students and teachers, for example. We will not be using a group file, so we specify /dev/null, which tells Apache that one doesn’t exist.

AuthName My Secure Directory

On the third line, we set the authentication name. The authentication name can be anything you like and is displayed as the “Realm” when the users authentication details are requested, as shown below:

The AuthName variable appears as the Realm

AuthType Basic

The AuthType variable sets the authentication type for the request. Because we are using basic web-based authentication, we simply set it to Basic. Other values include PGP and Digest.

The next section of our .htaccess file, the users permissions section, sets the request and response methods that an authenticated user has access to:

<Limit GET>

...

</Limit>


In our .htaccess file, we allow authenticated users access to access any part of our site where the GET method is available (Basically, users can view a page, but they can’t fill out any forms, etc). Other limit values include PUT and POST.

<Limit GET>

require valid-user

</Limit>


Between the <Limit> and </Limit> tags, we can either list a number of users who will have access to our protected directory using the “require user” keywords, such as:

require user joe

require user fred

require user jane


Or, (as we have done our .htaccess file) we can simply grant access for any valid user:

require valid-user

That completes the description of a basic .htaccess file. When an un-authenticated user visits our protected directory, the .htaccess file is loaded and parsed by Apache, and an authentication dialog box is shown. Now that we know how to set the options for an authentication requesuest, it’s time to actually add users to our authentication list.

This can be done using the standard htpasswd program.
blog comments powered by Disqus
APACHE ARTICLES

- Programmatically Manipulating Microsoft Exce...
- Installing PHP under Windows
- Compressing Web Content with mod_gzip and mo...
- Compressing Web Output Using mod_deflate and...
- Setting Up Apache 2.0.45 to Parse PHP Pages
- Custom Error 404 Documents with PHP
- Using Apache and PHP on Mac OS X
- ASP: Active Sessions, Active Logins and Tota...
- Working With Oracle on Windows: Part 1
- The Quick-n-Dirty Guide to Setting Up Apache...
- Installing Apache With SSL: The Complete Gui...
- 7 Powerful .htaccess Customization Tips
- Trap And Get Notified: A Practical Solution ...
- One Way To Use Server Side Includes
- Using ForceType For Nicer Page URLs

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials