Password Protecting A Folder With .htaccess

THDL Toolbox > Developers' Zone > Using Password Protection > Password Protecting a Folder with .htaccess

Password Protecting a Folder with .htaccess

Contributor(s): Than Garson

Note: this procedure may be outdated and this documentation may need to be rewritten.

In certain situations it is necessary to restrict access to a web document, whether it is an HTML document or one for downloading, such as a Zip file or Word document. In these cases, access to the folder where the document resides can be restricted to those with the correct username and password. (Note: This process does not work for XML documents in the present state of affairs because XML documents are not accessed directly. The user calls the XSLT transformation engine, which in turn calls the XML document, and if that XML document is located in a protected folder, the transformation engine will crash.) The present document describes how to create such a password protected folder. All documents in a password protected folder are thus restricted in access to those that have the proper login and password.

To create such a folder, one must have access to the HTML server (in THDL’s case IRIS) via FTP with SecureFx and via a secure shell terminal such as SecureCRT. (If you are a registered UVA user [Student or Staff], these programs are available from UVa's external link: ITC Download site.) Therefore, only the main workers on the THDL staff are able to create such a folder. Those who do have such access should be warned not to create an unnecessary proliferation of password protected folders. They should be kept to a minimum, and their passwords should be registered with the THDL director, who will keep a well documented file of password protected folders and their uses. The instructions here are to document the process for such moderate use. The steps are:

  1. Logon to the THDL site using SecureFX (FTP).
  2. Create the folder in the desired place on the THDL site.
  3. Create an .htaccess file according to the instructions below.
  4. Post the .htaccess file to the folder that is to be protected.
  5. Logon to the THDL site using SecureCRT. (Your logon and password are the same as when FTPing. When the connection is first made you may find yourself in /home/username. To get to the THDL site, type “cd /lv9/tibet”.)
  6. Navigate to the folder that is to be protected.
  7. Type the following command:
    htpasswd -c .htpasswd username
    where username represents the logon name for that folder. This can be anything one desires, such as “Tibet”, “THDLUser”, etc.
  8. It will then prompt you for a password and then a retyping of the password.
  9. After the second entry of the password, it will say “Adding password for …”

A second username/password combo can be added by typing: htpasswd .htpasswd username (i.e. the same command without the –c) and going through the same password verification process.

The .htaccess File

The .htaccess file is the Unix file that tells the server that a folder is restricted. It is a simple text file with a simple structure. Only one portion of it needs to change for each password restricted folder. In a text file type the following lines, replacing the “{location of your folder here}” with the actual location of the folder from the root:

AuthUserFile /lv9/tibet/{location of your folder here}/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

<Limit GET>
require valid-user
</Limit>

Save the file as “.htaccess” and using the FTP program post it into the folder that is to be protected. For further information on this topic, see external link: SiteHost International.

Provided for unrestricted access by external link: The Tibetan and Himalayan Digital Library