How to password-protect a directory using .htaccess

The .htaccess file is a configuration file for the Apache HTTP server. .htaccess includes a series of directives that control how the server responds to requests. (A "directive" is just a text command/keyword followed by its value.) One of the more common usages of .htaccess is to enable a directory to be password protected. By adding appropriate directives to .htaccess, when a web user accesses a file in that directory or a subdirectory, they’ll be prompted for a username and password.

DIFFICULTY Basic - 1 | Medium - 2 | Advanced - 3
TIME REQUIRED 15-30 min
RELATED PRODUCTS Linux-based VPS or dedicated servers
cPanel Shared Hosting
Linux-based Web & Classic Hosting

RECIPE

Assuming AllowOverride and AuthConfig are enabled in the main configuration file, directives similar to the following will enable the current directory tree to be password protected with basic authentication for user blake:

AuthType Basic
AuthName "Protected Area"
AuthUserFile /usr/local/passwd/password.file
Require user blake

The AuthType directive is the method used to authenticate the user. Basic sends the username and password in the clear over the network. If you want to protect the username and password over the wire, use SSL (mod_ssl) with your Basic authentication.

Use the AuthName directive to identify to the user which password they should enter. Multiple independent directory trees in the same realm can be protected by a single password. Once a user has entered a password for a realm, they won’t be prompted again, provided the server name part of the URL doesn’t change.

As might be inferred, the AuthUserFile defines where to look for passwords. You create the password file with the htpasswd command. There is also an AuthGroupFile directive that allows you to define groups of users. You can then protect the directory by group name instead of having to identify individual users.

AuthGroupFile /usr/local/passwd/groups.file
Require group admin

The groups.file file is a text file that would consist of a list of groups and usernames like the following, where the password for each user is maintained in the specified password file from the AuthUserFile directive.

admin: blake sally patrick

The Require directive is how you are identifying who has access to the directory tree. The basic usages are to control access for any valid user, a list of users, or list of groups.

Require valid-user
Require user userid1 [userid2] ...
Require group group1 [group2] ...

There are additional ways to control access with directives like Satisfy and Allow. If Require is insufficient for your needs, review the other directives.

Use basic authentication via .htaccess with care. It may work fine for small sets of users but does not scale well. Consider something like using an OAuth server for a production environment with large numbers of users.

Do note that with basic authentication, each resource request requires the username and password to be verified, even with just reloading a page, which can have performance implications.


Oliko tästä artikkelista hyötyä?
Thanks for your feedback. To speak with a customer service representative, please use the support phone number or chat option above.
Kiva, että meistä oli apua. Voimmeko tehdä jotain muuta?
Olen pahoillani asiasta. Tell us what was confusing or why the solution didn’t solve your problem.