Disclosure: Hosting Canada is community-supported. We may earn a commission when you make a purchase through one of our links. Learn more.

Password protection

One of the most important uses of .htaccess is the authentication systems and password protection offered by Apache Web Server. We can protect one or multiple directories of a website easily with password protection that would need user name and its password for accessing it.

The web browser automatically handles the login process of such secure and safe directories using a login interface that pop-ups (you probably have seen it before). The best method of encryption is used to encrypt the password to ensure the security of the login credentials. Here in this part, the authentication system of .htaccess will be discussed in detail and we’ll explain the setup process of protecting password and also cover related helpful information.

To start with, firstly decide the directory that you need to password protect with (note here that all subdirectories and files in that directory will also be protected by password), after deciding to make a .htaccess file by following the guidance and the instructions including the text below.

AuthName "Member's Area Name"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
Require valid-user

In the above code, from the top line, your Apache Web Server knows that ‘Member Area Name’ is a secure and safe directory and it will get displayed on the appearance of login pop-up prompt. The password file location is specified by the second line. Type of authentication is specified by the third line, in the above example, we used ‘Basic’ as we used the HTTP authentication.

And then the requirement of login credentials validity is finally specified in the fourth line, you can also use this line for specifying any specific username, for example, ‘require user username’ will need ‘username’ as the username. This you can use for administration area password protection, instead of setting a public directory for password protection.

The password file may be located anywhere on the web server, it must that you replace ‘/location/of/password/file’ with absolute/full URL of the directory that contains password file and the file ‘.htpasswd’ must exist, however, this you can call anything. Here we used ‘.htpasswd’ as the filename as it will be recognized by the server and will be hidden from the visitors.

Note, here, that there are some servers that need that same directory location of both password file and .htaccess file. Also, it’s essential to use an absolute/full path for locating password file as a relative URL path or any of the other variation of the URL won’t work.

The content of password file will be similar as the text below.

username:encryptedpassword
john_mathew:dGF9Pcm/MZJp7

The password cannot be just made up, the server must encrypt them on Linux/Unix server, but use plain/simple text password on the Windows server as the encryption method is not offered by Windows. There can be any number of records of users in your password file but only one account a row, and use a colon to separate username and password.

By setting a directory that’s password protected you can provide a member’s area. Providing a member’s area is an excellent way to track your website visitors and it’s also a great way to bring a feel of community on your website. Asking for registration to access your web content allows you to collect any required information of your visitors such as their professional status, sex and their residential country.

Due to the wide range of pre-built solutions that are widely available over the net, it is very easy to set up such systems, most of them can be easily set as initial website content. Two more solutions are offered by ionix that has proven to be quite popular, and one such solution is ‘Locked Area’ that’s available on the net for more than 8 years and used by more than fifty thousand websites.

It’s a simple, effective and completely free management system to manage member’s area that you can use to set-up a member’s area that’s secure to store all your content, also it contains a member’s registration area for your website visitors for allowing them to access the member’s area by registering and it also includes an administration panel from where you can email the members and manage accounts.

Ionix offers another product called ‘OpenCrypt’. It’s a membership management solution by ionix enterprise solution. It offers facilities like a statistical system for analysis and one of the versatile registration systems. Both the products manage your content’s security by ensuring that no visitor can access the member’s area without registration. Also, ‘OpenCrypt’ offers the facility to prevent the visitors to share their details of login; this facility is especially useful for high-demand websites.

Note here, that a logout facility isn’t possible to facilitate to the visitors so the browser cache the login credentials until the visitor closes the browser, so your visitor can leave your website and return later without needing to log in again. If the visitor closes the browser and again opens it, login details get automatically deleted from cache also they get a prompt as pop-up. The facility of log-out has been in discussion for quite a long and different methods have been also given but as none of them are reliable and effective enough to be worth discussing.