Home » Tutorials » Website Security

The Basics of Password Protection

Apache offers the Basic Authentication scheme to allow the password protection of directories on a per user basis.  These are generally managed using .htaccess files placed in the relevant directories, which contain a list users that are permitted to access that directory.

Let's start with in example.  Imagine you have a directory named /private within your website, and it contains this .htaccess file:

AuthType basic
AuthName "Secure Area"
AuthUserFile /etc/httpd/conf/.htpasswd
Require user peter robin james

The first directive, AuthType basic indicates to Apache that we are using Basic Authentication.

The second directive AuthName, allows us to identify precisely what this secure area is for.  This name will be shown to end users when they are prompted to enter a username and password.

The third directive AuthUserFile points Apache to the file containing a list of valid usernames and their passwords. Note that passwords in this file are encrypted for security, which means that if you one of your users forgets their password, you cannot recover it for them and must manually create a new password for them.

The final directive, Require, indicates which users are granted access to the directory (/private in our example).  In this case it's easy to see that peter, robin and james have access permissions.

Note that instead of explicitly granting access to users, we can use the Require directive like this:

Require valid-user

This option will grant access to every user present in the AuthUserFile. Generally it's best to avoid this "allow anyone" method, as it's easy to lose track of who should be allowed access, and relies on you keeping your AuthUserFile clean of any unwanted users. 

If you are offering different access levels to different users, the valid-user option is obviously not approriate.

One more directive you may have come access is the Apache Limit directive. Learn why you should not use this ».

See Also

• Unlimited Password Protection with .htaccess Learn why most .htaccess password tutorials have a fatal flaw, and what you can do to get it right.