Even You Can Password Protect a Directory (and a File) by Harry
Kenney
Sometimes the easiest thing seems nearly impossible - especially when it's
something we've already decided beforehand is too difficult to even attempt.
With me, that turned out to be the .htpasswd file and all the accompanying
"mystical, technical whatevers" that also went into making one. But, much like
the Seuss's tale of Green Eggs and Ham, once I finally actually looked
into it - and found the right tools and a couple of good examples - it
turned out to be relatively simple. Yes, even you can do it!
So, here then is how to protect your directories. In fact, we'll go through the
normal method plus a very sweet way of doing it in PHP as well. (No, don't be
intimidated by that!) Again, trust me, this is easy as pie. If I can do it, you
can too.
The Basics
First, you need two files, .htaccess and .htpasswd. (Ok, let's mention that
yes, those are the file names. Not the extensions. They do start
out with a dot on the front and nothing else before them. Don't let it freak
you. That's just how it is.)
Now to create these all you need is a text editor. However, if you have an HTML
editor that saves files in UNIX that would be all the better. Ok, what does
this mean exactly? It means some text editors add an additional end of line
code, often invisibly; it's an old DOS hold over and it can stop that same file
from working on a UNIX server. Note: You do NOT want to create these
files in FrontPage or DreamWeaver or any other "fancy" editor, no word
processor programs either, because it will mess it up worse than Windows
NotePad ever will by adding tons of extra, unneeded code.
Myself, I use HomeSite. I
have long heard that TextPad is another
very good one. There are also many other freeware ones, among those highly
recommended elsewhere seem to be
NotePadPlus and Nvu.
Ok another thing, if you're doing this on a PC, your text editor or HTML editor
may force the file you save to end in .txt or .htm or something. If so, just
let it. Afterwards you can rename it from "htaccess.txt" (or whatever it got
called) to ".htaccess" either on your computer prior to uploading, or upload it
to the server and then rename it there.
.htaccess
Got all of that? Then let's get to it. This code here below can serve as your
.htaccess file template. Copy it, paste it, make the necessary changes.
<xmp>AuthName "Label You Want Here" AuthType Basic AuthUserFile
/web/sites/youraccount/domain.com/mydirectory/.htpasswd require
valid-user</xmp>
If you already have an .htaccess file, then add or appendum the above into that
file. You may have one already as .htaccess can perform many functions,
including 404 redirects among other things. If you don't have one, then just
copy the above into your editor, make the adustments needed and save as
.htaccess. The line that starts out with "AuthUserFile" will be the server path
to the directory you want protected. Both the .htaccess file and the .htpasswd
file you will create will both go into that server directory.
Remember because the .htaccess file can do other things, you can have an
.htaccess file without having an .htpasswd file. However it does not work
the other way around; an .htpasswd file requires there to be an
.htaccess file to tell the server where to find it. The other thing to remember
is these files "work down", meaning they protect not only the directory you put
them in, but also any subdirectories. (If you ever hear a techie speak, they
will say "child directories" and "parent directory", which means the same thing
as the directory you're in and it's subdirectories or subfolders).
If that sounds at all confusing, it means simply that it would protect not only
/mydomain.com/thisdirectory/ but also /mydomain.com/thisdirectory/one/ and
/mydomain.com/thisdirectory/two/, etc. But it will not protect anything
to side of nor above it, such as /mydomain.com/ or /mydomain.com/thatdirectory/
.htpasswd
Here's the magical file where users are put in and passwords are encrypted for
protection. Do you need to know encoding? Heck no. To create the .htpasswd
file, I use the free tool at Mainstream Webmasters:
.htpasswd maker
Type in your name and the password you want, and it does the encryption for
you. Copy the resulting line into a file. If you have multiple users, repeat
the step and paste each on a separate line, such as this:
Guido:sDK33NPSnvonU
Norma:NFAgrHPnYTUJc
You will have to remember or write down your password (and no, no
reminders in the file, not only will it not work, but it will give you a
security hole.) The opposite of what you are trying to achieve. And no, there
is no reversing the encrypted password to see what it was before. That's part
of the security. So if you ever forget what it was, you'll just have to make a
new password file from scratch.
Now that you've taken the line or lines produced by the password maker, save
that file as .htpasswd. FTP both of them as ASCII to your directory, test, and
viola.
Btw, there are other handy tools at the above site. Sometimes when you're
trying to think of a password it's tough. The stranger you go, the better. So
rather than put in your dog's name or something else that's common place and
could either be guessed at or cracked through a hacker running words through a
dictionary program, it's much better to do have passwords like: 4hP1ojjd or
PQF9hMEz. Where does one come up with stuff like that? Another very handy
webmaster tool: the
random password generator
Ok, that's pretty much it; this article could easily end right here. But,
you're jazzed now, aren't you? Admit it. Yes! That really was a whole
lot easier than you could have imagined right? All it requires is the right
tools and maybe a little explanation and an example. But wait, you're still
jazzed, right? So then, what's next? Next is only one slight step more advanced
(and I do mean slight). Again, if you couldn't do it easily I would not include
it here.
There are times when you need extra security but you can't protect the entire
directory, just a single file, and not an average one, but a script file. Don't
get weak-kneed now. (Jazzed, remember. You can do this!) And that brings us to
...
PHP Auth
Below is a PHP code snippet that you can drop into almost any PHP script and
make things more secure. For me, I was tired of various exploits messing up my
own portal. I has also, a while back, made soooo many text modifications and
put in so many addons and plugins and such that that updating to a new version
was basically impossible (or in manhours, certainly impractical). In short I
needed extra security.
The big problem was the script didn't have it's own separate /admin directory.
It's one of those where everything is in the same directory, the area for the
users and for the administration as well. You've seen scripts like this, and
you probably have one like it too; you know, where the login URL goes something
like: http://www.mydomain.com/admin.php?s=login
So, without keeping out all the users I want visiting my site, there was no way
to do the .htpasswd protection.
Or was there? Enter my programmer friend and his snippet for using PHP's
Authorization function. Again, this is easy. If you've never altered a
programming file (one ending in .php, for instance), this should still not
scare you. Again, even I could do it.
<xmp>if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate:
Basic realm="YourLabelHere"'); header('HTTP/1.0 401 Unauthorized'); echo 'You
are not authorized to view this page'; exit; } else {
$userin=$_SERVER['PHP_AUTH_USER']; $passin=$_SERVER['PHP_AUTH_PW']; if
($userin==='username_goes_here' and $passin==='password_goes_here') { } else {
header('HTTP/1.0 401 Unauthorized'); echo 'You are not authorized to view this
page'; exit; } }</xmp>
Now, if another exploit, hack, program hole or whatever lets somebody get in,
they will be further blocked by having an additional login to contend with.
Fool proof? Probably not. But it's like having the big red "club" on your car
steering wheel or brake. If it doesn't stop them in and of itself, it might
stop them just because there are other less secure cars (or in this case,
sites) that can be broken into. And if the hackers are using a robot to do
their work, it won't expect something that few other copies of the same script
everywhere else has. Either way, it's yet another lock on the door. And, as you
see easy to add.
The snippet goes at the top of the script file. Not the very top, the top of
every PHP file needs to start with ?php So below there and above any other
coding is perfect. There's just the three places to make changes in the
snippet: the Auth Label once again, and naturally the username and password.
Unlike .htpasswd there is no encryption here. And so it's another good
place to use the random generator mentioned above to come up with a strange
name. The one nice thing about this particular file is if you do forget your
password, you (but not strangers) can FTP in and view the file. Don't let this
concern you, as remember your script no doubt already has it's own admin login
routine; this just adds an important second "lock on the door". Oh and one
other important difference from the standard .htpasswd method to is remember
this protects this file only - period; not the directory, not any other
file in the directory nor any subdirectories.
Back it up!
Finally - and this by now is knee-jerk, automatic for me, and it should be for
you and everyone else too - always always always make backups before
editing a file. Just in case. This way, you can't ever go wrong. Or rather, if
you do mess up, it's very short-lived, as opposed to devastating.
About the Author
Harry Kenney is one of the owners of the Mainstream Webmasters
ecommerce resource and admin of the
webmaster forums there.
|
