How to protect a webpage with a password? - authentication

I have a web app with a setting page that I would like to protect with a password so that unless the password is correctly entered the user cannot change any of the settings.

To add a password for a page on your website, you’ll need to modify the .htaccess and .htpasswd files on the server. Take a look at this link for the full details.
Basically you need to do these two things:
Modify (or add) the special text file on your server called .htpasswd, to contain the username and encrypted password separated by a colon on a separate line.
If you have SSH access, this can be done automatically using the htpasswd utility:
htpasswd -c .htpasswd ben
Otherwise you can modify/create the file manually, and handcraft the username/password using an online password encryptor. The linked-to site suggests these three:
4WebHelp's online .htpasswd encryption tool
Alterlinks .htaccess password generator
htmlite's htpasswd encryption page
As an example, for a username of ben and a password of password12345 you would use this line:
ben:51CbcBM13fOMo
Modify (or add) the special text file called .htaccess, in the folder where the settings page you want to protect resides, to contain the following:
AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "Protected Settings Page"
<Files "mySettingsPage.html">
Require valid-user
</Files>
Of course, /full/path/to/.htpasswd should be replaced with the full path to where the .htpasswd file resides on your server.
Likewise, replace mySettingsPage.html with your own settings page name.
Note that the AuthName string can be changed to suit.

Related

Is there an equivalent setting in Apache (on a UNIX box) to prompt user login to view a site as Windows Authentication does in IIS?

I have been requested to setup a test site written in php, on a unix box. I have been given the site files and it is loading fine but I need to close it off from anonymous access. Is there a setting in Apache server that allows this to be done in the same way that Windows Authentication would in IIS. I understand that a login page could be added to the site but I am not a php developer and wanted to take advantage of existing functionality if it's there.
Thanks.
A simple solution would be to add an .htaccess file with something like this in your webroot:
AuthUserFile /<path>/.htpasswd
AuthType Basic
AuthName "Your Auth Name"
Require valid-user
Then you would need to add a .htpasswd file with your login credentials.
To add a .htpasswd file you could open your terminal and execute the following command:
htpasswd -c -b .htpasswd username password
The above will create a file name .htpasswd with username/password as login in the current directory.
Reference: Password Protection with .htaccess & .htpasswd

Password protecting mamp:localhost

I've created a .htpasswd file and .htaccess to password protect my localhost. I have put both in my mamp folder (where my website folders are). I have encrypted the password put in my htaccess :
AuthUserFile /WorkArea/mamp/
AuthType Basic
AuthName "localhost"
Require valid-user
It has locked me out of my localhost by giving me a 500 internal error.
The discussion above fed to this solution:
It is important to understand that .htaccess and .htpasswd files have to be plain text files to work. So the best way to create and manage them is to use a plain text editor. Using some kind of word processor (like OpenOffice-Word or similar) will save additional formatting information into those files. This will lead to the http server not being able to make sense of those files, thus throwing an error.
Also some side note: the .htpasswd file should not be placed alongside the documents pubished by the http server. This is a high security risk. So .htaccess and .htpasswd style files must be stored at completely separate locations, the first within, the second outside the area of the documents.

http digest authentication with .htpasswd

I am working on windows and for now I have Http Basic authentication with following .htaccess file:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile D:\\some\\windows\\path/.htpasswd
require valid-user
and following .htpasswd file for user "test" with password "test" (created using http://www.htaccesstools.com/htpasswd-generator-windows/):
test:$apr1$EUhLJ8Ye$LpBIbzDcBXY.80pH53oN2/
This works, I am able to enter correct username and password and I gain access.
But as I am not using SSL I would like to use Digest authentication (to avoid sending password in plain text to server). I changed line AuthType Basic to AuthType Digest but it is not working anymore - even if I am typing correct user and pass I cant gain access.
Probably I should encrypt/hash password in .htpasswd using different algorithm but I cant find it...
If you want to use digest authentication, you'll have to create new password files. Those for digest auth will have a slightly different format that that used for basic auth. Typically, apache comes with tools for doing this.
Look out for the command line programs "htpasswd.exe" and "htdigest.exe". You need to use the second one for generating password files for digest auth. Use it like this:
c:\path\to\htdigest.exe -c c:\some\windows\path.htpasswd_digest realm username
You'll only need "-c" the first time you issue the command, if you only add new users to an existing file, it's like:
c:\path\to\htdigest.exe c:\some\windows\path.htpasswd_digest realm another_username
"realm" should be the same value you used in your apache config for AuthName.
Oh, and obviously, don't forget to update AuthUserFile in your apache configuration...

Password protecting and only allowing one IP address to access a directory?

I have a directory on my website that I need to make sure no one but myself can get into. From the reading I've done, it looks like there are two ways to protect a directory:
Password protect the directory using the .htaccess file
Deny access to all IP addresses but my own from accessing the directory, also using the .htaccess file
I need to protect the files in the directory as securely as possible, so I figured I'd use both of those methods for double protection.
Question 1: Am I missing anything? (i.e. is there another layer of protection I can add?)
Question 2: What would I need to put in a .htaccess file to get the above to work?
Your .htaccess file would contain:
AuthUserFile /usr/local/nate/safe_place/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Files"
AuthType Basic
require user nate
order deny, allow
deny from all
allow from 127.0.0.1
The .htaccess file goes in the directory you're trying to protect.
You also need a .htpasswd file (shown above as /usr/local/nate/safe_place/.htpasswd) which contains the text username:password_hash. So if we use "nate" as an example and "secret" as the password (please don't use that) you get:
nate:XmN6pwFyy3Il2
You can use this tool to generate your own password file: http://www.tools.dynamicdrive.com/password/
Just make sure that no one can read your .htpasswd file. Also note that basic authentication does no encryption by itself. If you're on an open network, anyone can see your password and all the secret data going over the network. Make sure you visit your site via https if it's really that secret.
You can read more about .htaccess files here:
http://www.javascriptkit.com/howto/htaccess.shtml
Assuming you're running Apache and have an AllowOverride directive permitting .htaccess files to use <Limit>, the following should be a good starting place for you:
<Limit GET>
Order deny,allow
Deny from all
Allow from IP_ADDRESS_HERE
</Limit>
More documentation on <Limit>: http://httpd.apache.org/docs/current/mod/core.html#limit
and for access control: http://httpd.apache.org/docs/2.2/howto/access.html

.htaccess and .htpasswd to prevent access to folder problem

I have a website admin area I want to protect with a password..
so inside the admin folder I put an .htaccess and .htpasswd files containing this:
.htaccess:
AuthUserFile C:/wamp/www/website_project/admin/.htpasswd
AuthName "Restricted Area"
AuthType Basic
Require valid-user
.htpasswd: (generated using an online tool)
admin:sOSDxAdJI4xx2
When I go to the admin folder, a popup is shown where I need to insert username and password... so until now its working fine, BUT no matter if I insert a correct password or not I get the same popup again when I hit 'enter', I can never access the folder...
Any suggestions?
Based on the AuthUserFile line, it looks like you're using Apache on Windows, which has a different default password encryption algorithm than other platforms. Try using the htpasswd command-line tool to generate the password and see if you still have the same problem.