Jump to content
Sign in to follow this  
kurt.santo

Folder protection via .htaccess

Recommended Posts

Part 1: Create a password file and put it on the serverTo create a password file and put it on the server: 1. Windows - Open Notepad: Click Start, point to Programs, point to Accessories, then click Notepad. Macintosh - Open Text Edit: Double-click your Macintosh HD icon, then double-click the Applications folder, then double-click the TextEdit icon. 2. Open a new blank file and name it: htpasswd 3. Set up one or more username/password combinations using one of the following sites that can generate encrypted UNIX passwords: * New Window http://spectrum.troy.edu/password/ * New Window http://www.flash.net/cgi-bin/pw.pl 4. From the form, copy and paste the username/password combinations into your htpasswd file, noting the following: * Each username/password combination should be on its own line. * Put nothing else in this file. For example: joeuser:33dJ3Dq1oYPd2 5. Using FTP, upload the htpasswd file to your /usr/users/bcusername/ folder on the www2.bc.edu server. Important: * Be sure the FTP transfer mode is set to "ASCII" and not "binary". * Although this password is not easy to read, there are programs on the Internet that can break this password. Part of keeping your passwords secure is not letting anyone get access to this file. For that reason, we recommend that you not put them in the folder with the documents you are protecting, or even the root level of your Web site. We recommend that you put them in the folder whose name is your username: /usr/users/bcusername/ Not in: /usr/users/bcusername/www/ 6. Using FTP, change the name of the file on the server to .htpasswd with nothing before the period.Part 2: Create an .htaccess file in the folder you would like restrictedTo create an .htaccess file in the folder you would like restricted: 1. Windows - Open Notepad: Click Start, point to Programs, point to Accessories, then click Notepad. Macintosh - Open Text Edit: Double-click your Macintosh HD icon, then double-click the Applications folder, then double-click the TextEdit icon. 2. Open a new blank file and name it: htaccess 3. Copy and paste the following text into the file: AuthUserFile /usr/users/myusername/.htpasswd AuthName "YOUR SITE'S NAME" AuthType Basic < Limit GET> require user joeuser < /Limit> 4. Edit the line: AuthUserFile /usr/users/myusername/.htpasswd changing "myusername" to your BC username. 5. Edit the line: AuthName "YOUR SITE'S NAME" The words you put here show up in the authentication dialog box. * In Netscape, this line of text appears in the middle of the following phrase: Enter username and password for "YOUR SITE'S NAME" at www2.bc.edu. Note: You cannot change the surrounding phrase: "Enter username and password for...at www2.bc.edu." For example: AuthName"BC Help Center Restricted Page" appears as the following in Netscape (refer to Figure 1): Figure 1: Example of text that appears on login prompt in Netscape. Figure 1: Example of text that appears on login prompt in Netscape. * In Internet Explorer, this line of text appears with nothing around it. For example: AuthName"BC Help Center Restricted Page" appears as the following in Internet Explorer (refer to Figure 2): Figure 2: Example of text that appears on login prompt in Internet Explorer. Figure 2: Example of text that appears on login prompt in Internet Explorer. 6. In the second to last line, change the word "joeuser" to the username you put in your password file. Important: Do not include the password in this file. For example, to change the username to "anotheruser" this last 3 lines would read: < Limit GET> require user anotheruser < /Limit> -OR- To allow any username/password combination in your password file to access the folder, enter the following for the last 3 lines: <Limit GET POST> require valid-user </Limit> 7. Using FTP, upload your edited htaccess file inside the folder you want restricted on the www2.bc.edu server. Important: Be sure the FTP transfer mode is set to "ASCII" and not "binary". 8. Using FTP, change the name of the file on the server to .htaccess with nothing before the period.Part 3: Test the set upTo test the set up: 1. Open your Web browser and go to the page you have just protected. You should receive an authentication dialog box similar to Figure 1 and 2 above. 2. Enter an incorrect username and password to make sure it fails. 3. Enter the correct username with an incorrect password to make sure it fails. 4. Enter the correct username and password to make sure it works.Limitations to this method of authenticationThe following are limitations to this "basic" method of authentication: * The password is not encrypted as it goes over the network, so it could be sniffed. * The password and username remain in the browser until the user closes their Web browser completely. This means that shared computers or unattended computers are potential security risks. * If the user tries to go to another www2.bc.edu site that has a different username and password, they will get an immediate "access denied" message. They will not even see the authentication dialog box. This is because with basic authentication, the username and password is stored in the browser and the system makes the assumption that for any given server a person has only one username and password. To get past this limitation the user must close all windows of the Web browser, quit the browser, and then launch a new browser session to go to the second location. * The .htaccess restriction only limits access through a Web browser. Other BC students, faculty, and staff who have accounts on the www2 server may be able to retrieve your documents using FTP. Remember that www2 is primarily a public Web server, not designed for restricting confidential documents. For better handling of confidential documents, use New Window MyFiles@bc and New Window WebCT Web.enjoy

Share this post


Link to post
Share on other sites

Here is a great and simple way to implement .htpasswd (plus it encodes the passes in the password listing):http://tools.dynamicdrive.com/password/For an awesome guide on .htaccess and its uses go here:http://www.javascriptkit.com/howto/htaccess.shtml

Share this post


Link to post
Share on other sites

Read all the info and implemented the advice. Tried it and worked. Tried it again and does not work, browser sends my to my "permission needed page". Why could that be? I did not change the pw or username? Now it even does not let me delete the folder I created for testing, strange...Kurt

Share this post


Link to post
Share on other sites
Did you encrypt the usernames/passwords?
It actually works now in a different place. It seems my problem lies again somehow in the display of my remote files. When I try to delete a folder where I placed a .htaccess file it says "Command: RMD folderProtect, Response: 550 folderProtect: Directory not empty". When I go into directory I cannot see any file, and this although I set FileZilla (also tried it with Dreamweaver with same result) to show hidden files. Why could that be? Followed your instructions to transfer as text file and then change file extension/front bit when uploaded. Why do you have to do this? In FileZilla and Dreamweaver you can assign the modes of transfering files to any file extension. I created on for .htaccess (ascii).Another question in same context: How again do you find out what exact path is the folder above your web root? Justsomeguy told me some time ago, but I used it back then and completely forgot how to (apart from asking hosting company).Kurt

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×