CWC index .

How to Password Protect a folder using .htaccess

On Crosswinds, you can create folders or files that are password protected (ie: allow only those with a password to view the contents of the folder). You can do this easily for folders using CPanel. For files, there's no provision in CPanel but with only a little more work it can be done.


Confused?? So was I at first.... But with the help of the internet, my confusion was cleared up. Here's how to password protect files:

with CPanel (folders only) | without CPanel (folders and files)

Password Protect With CPanel

Crosswinds has already created a folder (one step above your root directory (the top directory)) for storing sensitive data. It is called .htpasswds. Inside that folder, there may or may not be a mirror of your site's folders. (There is in mine, but it may be because I've already set up passwords, etc. on my site.) Note that there is a leading dot before "htpasswds". From my understanding, this folder will never be served by Crosswinds and so is secure.

  1. Create the folder that will require a password: Upload an index file to the folder.
  2. Go to "CPanel - Password Protect Directories" and select the newly created folder. Checked the box beside "Password protect this directory:", put the instructions for people seeing the password form in the box beside "Name the protected directory" and hit "save". (Note that quotation marks cannot be used; they will break the form.)
  3. Still in "CPanel - Password Protect Directories", create the authorized user(s):
  4. To password protect a file within a folder: Copy the contents of .htaccess file in your password-protected folder. Open your text editor and paste the contents to a new file.
    <filesmatch "protected_file_name.html">
    AuthUserFile "/usr/home/CWUSER/.htpasswds/public_html/protected_folder_name/passwd"
    AuthName     "you must log in to see this file "
    AuthType     Basic
    require      valid-user
    </filesmatch>
    Save the file as .htaccess.
  5. Upload the new htaccess file to a different folder that contains the file requiring a password: please remember to upload the .htacces file via ASCII if you are using FTP.
  6. There is no number 6: You're done. All that's left is to test that the password is working.

N.B. Once the password has been entered for the password-protected area, unless the browser is closed, that area can always be viewed without having to login again. So, this method is not necessarily the best for users who are on shared computers.

Password Protect Without CPanel

Although crosswinds has already created a folder for storing sensitive data, I seem unable to figure out how to use those folders without the help of CPanel. There IS a way around this though.

  1. Create a folder for storing your passwords: In your root directory (your top directory), create a new folder and name it .data. To ensure that the folder will be secure, chmod it to 750.


    r = 4 Read the file
    w = 2 Write to a file
    x = 1 Execute the file

    The first number in the three numbers are the permissions for the USER (crosswinds.net server). The second number represents the permissions for the GROUP (you) and the third number represents the permissions for the WORLD (everybody on the internet). At least I think this is correct....
  2. Create a password file: This file requires encrypted passwords. Luckily, there are several online password encryption sites. Here are two I found: Armed with your encrypted password(s), you can now create the password file. Open up a text editor (notepad) and type the following:
    
    # format is "username:encrypted password"
    user:1JjkokKtR7KpM
    anotheruser:1WRwXt7Ld8R4S
    
    If you have more than one user, place each one on a separate line. Save the file as .htpasswd and upload it via ASCII to your newly created .data folder.
  3. Create htaccess file: Open your text editor again and type the following:

    Password Protect a Folder:
    AuthUserFile "/usr/home/CWUSER/public_html/.data/.htpasswd"
    AuthName     "you must log in to see this folder"
    AuthType     Basic
    require      valid-user
    
    Note that if your crosswinds name is "freddy", the entry for "AuthUserFile" would be "/usr/home/freddy/public_html/.data/.htpasswd". If your crosswinds name is longer than 6 letters, only the first 6 letters are used. eg: with the name "frederick", the entry would be "/usr/home/freder/public_html/.data/.htpasswd" (I think...).

    You can put whatever message you like after "AuthName".

    Password Protect a File Only:
    You can also password protect a single file. Open the .htaccess file in a text editor again and type the following:
    <filesmatch "protectedfilename.html">
    AuthUserFile "/usr/home/CWUSER/public_html/.data/.htpasswd"
    AuthName     "you must log in to see this file"
    AuthType     Basic
    require      valid-user
    </filesmatch>
    
    Once again, you can put whatever message you like after "AuthName". For instance, if you wanted to allow many people to access the file, but just stop the casual user, you could include the login name and password in the message. (Try it out: password protected file)

    To prevent bots from easily breaking in, make sure that the password is encrypted somehow. If the password were "hello", the coding might be something like this:
    <filesmatch "protectedfilename.html">
    AuthUserFile "/usr/home/CWUSER/public_html/.data/.htpasswd"
    AuthName     "Your username is [guest] and the password is a common greeting that starts with 'h' and rhymes with 'yellow'"
    AuthType     Basic
    require      valid-user
    </filesmatch>
    
    Please remember that quotation marks cannot be used within the message; they will break the form.

    Save the file as .htaccess and upload it via ASCII to the folder that contains the password-protected file.
  4. There is no number 4: You're done. All that's left is to test that the password is working.

If the form is filled in incorrectly, the page opens to a 401 error page. For more information please read about how to customize error pages.

N.B. Remember, once the password has been entered, unless the browser is closed, the file can always be viewed without having to login again.




                     \ 
                      \,^^%---
                      <\/  \ See? It's easy when you know how....
                      >
                      >^^
                     /| 
ejm                  | \

 
 
 

© llizard 2009 (last modified 23 November 2009 at 01:06:36 EST)

CWC reference pages . ASCII-art . illustrations and gif animations . llinks to ridiculously useless sites . home page