User Authentication using the Apache .htaccess file R R

This tutorial is for Apache web server users

One of the most often desired feature by webmasters is a way to restrict access to their website. It's not too difficult to implement a username/password scheme that allows access to the whole site. But problem arises when you need to restrict access on a per-directory-basis.

You may want some users to have access to certain directories, while restricting others to different directories on the same server. That's where the .htaccess file comes in. It allows you to create unique username/password for each one of your users, and to define the part of your website you want each user to have access to.

To see an example, use apache as the username, and auth as the password when you follow this link. You should have seen a window pop up asking you for username/password. I besically just let it redirect to this page.

What is .htaccess, and why does it have such a strange naming scheme? The dot in front of the htaccess goes back to unix. All hidden files under unix begin with a dot, and the practice has been preserved as apache got ported to other operating systems. Unfortunately some operating systems will not allow you to access or modify a file that is named this way, i.e. beginning with a dot.

Can you name the file something else besides .htaccess then? The answer is yes. You can change the name of the file to something that your OS will be happy with. If you're under Microsoft Windows for instance, you can use the NAME.EXT format. E.g. you can call it something like htaccess.file, or passwd.txt, etc.

How will Apache know to use the file you've renamed, instead of the default .htaccess? You do that by changing a line in your apache config file, httpd.conf. So Open httpd.conf and find the line that reads

AccessFileName .htaccess

Change this line to whatever name you want. Assuming you chose the name htaccess.file, the line would be:

AccessFileName htaccess.file

Save httpd.conf. Now everytime a user tries to access a directory, apache knows to look in that directory for htaccess.file. If this file is found, apache pops up a window asking for username and password.

Password file

Besides the htaccess file, there is also a file that'll hold username/password info. How do you create this password file? You do it using a small program called htpasswd. This program comes with apache. To find out its location, type which htpasswd at a UNIX prompt, or under Windows Start/Find/Files or folders...Once you know where it is, open up a shell for your OS, e.g. DOS console in Windows. Change to the directory where htpasswd is located, and issue the command:

htpasswd -c htpasswd josh

When you press enter, you will be asked to enter a password for the user, and then to confirm the password. A file called htpasswd will be created which looks something like this:


Note: You don't have to call the file htpasswd. It could be any name you choose, e.g. htpasswd -c mypasswdfile josh.

So what does this mean? Basically, you have just created a username/password file with the name/password separated by a colon. The password is encrypted that is why it appears as junk above. The username in this case is josh, and the password is whatever you chose.

If you take another look at the command, htpasswd -c htpasswd josh, you will notice we used a -c. -c is used only when you first create the password file.

Adding more users

How can you add more users to this file? You issue the same command, but this time without the -c modifier. So let's add another user called enroy.

htpasswd htpasswd enroy

Now you will have something like


To add more users, repeat the command htpasswd htpasswd username.

If you want to see other flags available for the htpasswd program, type htpasswd at the prompt.

So where is the password file located? It should be in the same directory as the passwd program, if not, search for it as usual. You will need to know the location for the next steps.

.htaccess file

Now we need to create our .htaccess file, in our case, it will be htaccess.file. We reconfigured it in apache.conf, remember?

This is a plain text file that you can create using any text editor. Use Notepad in Windows.

Two main things are needed in this file. One, where your password file is located and two, a list of users to allow.

To specify the password file, type this in htaccess.file:

AuthUserFile /location/of/htpasswd

So if the password file is located in c:\apache\bin, the above line would be

AuthUserFile c:/apache/bin/htpasswd

AuthGroupFile /dir/null
AuthName MembersOnlyArea
AuthType Basic

Let's look at the other lines. The second line allows you to restrict access by group, rather than individually.

Third line is any name or title you choose for the restricted area. I called mine MembersOnlyArea.

Line four specifies the type of authentication. This line is almost always Basic. There is another authentication methhod called Digest. Digest is not yet implemented in browsers. When it is, it will be more secure than Basic.

Now you need to specify the actual users. This is done simply with require user:

require user josh enroy.

As you can see, we've listed the names of users we want to give access. But what if we have a lot of users, and we want to give all of them access? In that case, you don't have to list the users as above, just use

require valid-user

valid-user tells apache to allow any user listed in the password file.

Putting everything together, we get

AuthUserFile c:/apache/bin/htpasswd
AuthGroupFile null
AuthName MembersOnlyArea
AuthType Basic
require user josh enroy

Save the file inside any folder on your website for which you need user authentication.

Telling apache to use authentication

Apache by default will not use authentication. You have to tell it to do so. But how? By changing a line in httpd.conf.

You tell apache what to do with a directory, and all the subdirectories under it, by using apache directives <directory "directoryName"> </directory>

So let's say we want authentication before users can access c:\apache\htdocs\members, we would add the following line to apache config file, httpd.conf:

<directory "c:/apache/htdocs/members">
AllowOverride All

Save httpd.conf and restart apache.

Now each time your users try to access, they would get a popup window asking for a username and password. Access will be granted only if they are valid users you've created.

Now, let's retrace our steps so far:

  1. You tell apache, "don't let anybody into, unless they are valid users with a username and password."

  2. Someone tries to access, and apache looks in httpd.conf and finds that the directory members needs authentication.

  3. Apache then looks in c:/apache/htdocs/members for a .htaccess file, or whatever filename you defined in httpd.conf.

  4. If .htaccess file is found in the members directory, apache throws up a window, asking for username and password.

  5. Apache then checks user entry against what is contained in the password file.

  6. User is denied access if a match is not found in the password file.
That is all there is to user authentication.


If you're using Apache for Windows, be sure to specify AuthName as a single word. As you can see, I called mine MembersOnlyArea, instead of Members Only Area. Using more than one word separated by spaces would cause apache to cough up an Internal Server Error 500. If you want to have spaces in the name, then the whole name must be in quotes like this:

AuthName "Members Only Area"

When you restrict access to a particular directory by using

<directory "c:/apache/htdocs/members"> AllowOverride All </directory>

in httpd.conf, it means access to all subdirectories under /members will also require authentication. So a subdirectory like /members/results will also throw up a popup window asking for username/password.

But what if you don't want authentication for say /members/results, while still authenticating /members?

What you do in that case is add another directive to httpd.conf as follows:

<directory "c:/apache/htdocs/members/results"> AllowOverride None </directory>

So we've changed the

AllowOverride All


AllowOverride None

for the subdirectory c:/apache/htdocs/members/results.

Once a user has been authenticated, will he be asked for login info the next time he tries to access the directory? When a user is authenticated, the session expires only when the user closes his browser. So, as long as the browser remains open, the authentication is still valid. This is just a simple form of restricting user access on a per-directory basis.

How to log out

Authentication using .htaccess file is done in conjunction with Apache server. Once the user has been authenticated, the authentication info is then controlled by the browser, not apache. Currently, browser makers have not included a way to log out. This means unfortunately that, the only way to log out is to close the browser.

Customizing login interface

When a user tries to access a file or directory which needs authentication, he is presented with a window that asks for authentication info. The wording on the window differs between browsers. For instance, Netscape asks for UserID, which a user may not realize means login name. Internet explorer uses User Name for the same question. Wouldn't it be nice if you could customized such words to something your website visitors will understand? But once again, this feature is browser specific and cannot be changed.

You could use your knowledge so far for preventing hotlinking to your images.

Home|Comments, suggestions?

Photo Personals · URL Submitter · User Registration · Image Editor · Search Engine · Voting Booth · Free-For-All Links · File Uploader · META Tag Generator · Lookup · Web Spider · WebPage Generator · Password Script · User-comment Script · Login Script · Edit Profile · Home
Copyright © 1998-2022 Richie's Pages All rights reserved.
Last modified: May 28 2011 07:56:37.