How-to Password Protect Your Web Space
Computing Resources >> Tutorials >> Web Development >> How-to Password Protect Your Web Space 


Create Username and Password

Protecting Directories

Evaluate this tutorial

Protecting Individual Files

    Sometimes you don't want to protect entire directories, but only certain files. For instance, if you have a single page in your public_html directory called secret.html that you want to protect. To do this, we use a directive that looks even more like HTML in that it requires an opening and closing statement. This directive, called Files, takes a single filename as an argument. Again, open your .htaccess file with a text editor (pico .htaccess) (NOTE: If you moved your .htaccess file in the step above, you will want to move or copy it back. mv classwork/.htaccess . will do that for you.) Once inside your .htaccess file, add the following lines:

      <Files secret.html>
      require valid-user

    (Or surround the currently present "require valid-user" with the top and bottom statements.)

    Now when somebody tries to access secret.html, they are prompted for a username and password, but all your other files are openly available.

    If you want to protect more than one file, you will have to create a Files directive for each one, unless their names follow some pattern. For instance, if you have a set of files in Portable Document Format (PDF) that all end in ".pdf", you can use what is known as a wildcard inside the Files directive. A wildcard is a special character that substitutes for a range of values. So, if you had three files called "chapter1.pdf", "chapter2.pdf", and "chapter3.pdf" that you wish to limit access to, you would create an entry in your .htaccess file that looked like:

      <Files *.pdf >
      require valid-user

    The "*" takes the place of any possible characters and numbers, so any file that ends in ".pdf" would now be password protected.

    Up to now, we have only required that the username / password pair be correct and listed in our htusers file, but it is also possible to specify which users have access to particular areas. In order to do this, we change the require statement so that it specifies exactly who is allowed to access the file or directory. For instance, if we had created two accounts, faculty and students, we could allow anyone who knew the faculty password into some areas and anyone who knew the student password into other areas. So, if we had two files, student.html and faculty.html, we could put the following entry into our .htaccess file:

      <Files faculty.html >
      require user faculty
      <Files student.html >
      require user student

    This way, a user would have to know the student username and password to see the student.html page or the faculty username and password to see the faculty.html page.

Using a combination of html directory organization, .htaccess files, and Files directives, a user can construct elaborate authorization schemes for their web space. In addition, the .htaccess file allows a variety of other directives, some related to limiting access, others specifying different web server behavior. See the Apache run-time configuration documentation for a complete list of directives, some of which are valid inside an .htaccess file. Please send comments, suggestions, or questions concerning this page to
* Rather than save the password in a regular text form, htpasswd saves it in this encrypted form so someone can't just come along and see your password. Then, when someone enters a password into their web browser to enter your site, what they type is also encrypted. If the two encrypted strings match, then they type the correct password.

Watch the video

choose format/speed
dial-up | broadband
dial-up | broadband
dial-up | broadband

© 2003 Shane Williams| iSchool | UT Austin | webmaster