Password Protect using htaccess

Programming, error messages and sample code > IIS Rewrite



mod_authn_file module provides user authentication by searching their credentials in plain text file.

Quick start

Sample mod_auth_basic & mod_authn_file configuration in .htaccess

# Authentication type
AuthType Basic
# Name of area authentication will be used for (aka realm)
AuthName "secret area"

# Authentication provider. Here - mod_authn_file
AuthBasicProvider file
# Info for mod_authn_file - path to password file
AuthUserFile c:\inetpub\.htpasswds
# Access will be granted to all authenticated users
Require valid-user

Enviroment variables

Name        Context       Description
enable_plaintext_passwords        S V D.h Enables plain text passwords in password file; by default it is disabled


Name   Context       Description
AuthUserFile        D.h sets the name of a text file containing the list of users and passwords for authentication


AuthUserFile directive specifies the name of a text file containing the list of user-password pairs for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the current configuration file ( httpd.conf or .htaccess ).

Note! You can put several AuthUserFile directives into the config file thus enabling Ape to load passwords from several files that may be helpful for logical divison of users into groups (not supported in Apache) .


AuthUserFile file-path


AuthUserFile H:\root\home\your root path\.htpasswds
AuthUserFile H:\root\home\your root path\.htpasswds

Each line of password file contains a username, colon and encrypted user password. If the same username occurs several times, mod_authn_file will verify the password against the first occurrence.

Passwords can be easily generated directly from the Helicon Ape Manager. Having opened the Manager, create new file ( File -> New ) and go to Options -> Insert user password... ; you'll see the dialog allowing generation of user passwords for Basic and Digest authentication.

To apply this module to, for example, mod_auth_basic or mod_auth_digest, it should be defined in AuthBasicProvider or AuthDigestProvider respectively with file value.

That is the most usable authentication method as it is the simplest. Moreover, the password file may be edited manually. The shortcoming of this method is that it becomes very sluggish when the number of users grows up.

Security note! Don't locate passwords file inside the directory that it protects and inside web-server document tree. Otherwise, clients will have a chance to download it.