Sometimes it can be useful (or essential) to have password protection or some of all of your web site so that only known, authorised visitors can access your web pages.

For example, your organisation may wish to have a web site available only to its members, or you may wish to have one section of your site available only to registered users, employees, resellers or some other group with particular needs.

The simple and not so secure way out

The easiest way to achieve basic protection for some parts of your web site is just to put them in a directory which is not linked to from any pages. In other words, just make them regular web pages but only those people you give the exact address to will be able to find them.

Although it's very unlikely anyone would stumble onto such a directory by accident, there is a potential risk that becomes more likely over time. That is, one of your trusted people to whom you have given the exact location of your "private" web space may create a link directly to these pages from somewhere else on the wider Internet.

Or they may submit the address directly to one or more search engines which will then make the content available to the general public. It's also possible that your "secret" web address makes it into referral URLs or web server logs and appears on another public web site. If that happens it won't be long before Google and the other search engines find their way back to your site and index its contents.

Using password protection for better security

A better solution is to have a username and password combination that is required for visitors to get to your web site. If you wish, you can combine this with the simple "hidden" directory method as above for somewhat better security.

Please note that even with passwords, the authentication method used in this sort of password exchange is fairly primitive, but should be quite sufficient to stop Joe Public stumbling onto the more private parts of your site by accident.

Telling your site to require passwords

The first step is to designate a particular directory of your web site as requiring passwords before granting access. To do this, you must create a file in your web space called .htaccess

Note that this file name must start with a full stop and the letters must be all in lower case.

The content of the .htaccess file should be as follows (but not literally - see notes below):

AuthUserFile /location/of/password/file
AuthName "My Private Area"
Authtype Basic
require valid-user

Note: You should replace the My Private Area with the desired title of the password request window - whatever you type here will typically show up in the title bar of the username/password request box that pops up when someone visits your protected site.

Also, you should replace /location/of/password/file with the actual location of your password file. The full path name is required, which generally means you need to prefix something like /virtual/companyname/ to your file name (contact us if you need a hand to determine what this should be).

For example, if you log in to your web site using the name smithco and you have put the password file in a directory called members in a file called myuserlist then the first line of your .htaccess file should read:

AuthUserFile /virtual/smithco/members/myuserlist

The format of the password file

The password file is actually just a plain text file with one user's entry per line.

Each entry consists of the username followed by a colon and the user's encrpyted password, for example:

fred:$1$$1$4KsbT/..$2mbVgUmOBNbCUr70Ne0iJ1

Generating password file entries

To create a password file entry, enter the username and password you wish to add and click on Encrypt Password.

This will generate the password file line in the correct format. You can then cut and paste this into your password file.

Password Hasher

Username Password

Last updated 07 Apr 2005

Do you have any suggestions or comments on this page?