.htaccess and .htpasswd to prevent access to folder problem - apache

I have a website admin area I want to protect with a password..
so inside the admin folder I put an .htaccess and .htpasswd files containing this:
.htaccess:
AuthUserFile C:/wamp/www/website_project/admin/.htpasswd
AuthName "Restricted Area"
AuthType Basic
Require valid-user
.htpasswd: (generated using an online tool)
admin:sOSDxAdJI4xx2
When I go to the admin folder, a popup is shown where I need to insert username and password... so until now its working fine, BUT no matter if I insert a correct password or not I get the same popup again when I hit 'enter', I can never access the folder...
Any suggestions?

Based on the AuthUserFile line, it looks like you're using Apache on Windows, which has a different default password encryption algorithm than other platforms. Try using the htpasswd command-line tool to generate the password and see if you still have the same problem.

Related

.htaccess produces permission denied despite correct password

I set up a .htaccess-file to protect a folder which is in the webroot. Let's call the folder /protected.
I placed the .htaccess and the .htusers file in this very folder (/protected). When I try to login into the folder using the correct login credentials I still get 403.
Here is the .htaccess file:
AuthType Basic
AuthName "Service-Bereich"
AuthBasicProvider file
AuthUserFile [FULL_PATH]/.htusers
Require valid-user
.htusers
mary:$afr1$oqJDM12K$iT9QWY4ETerG0LUtRzw8C.
(For security reasons: user data is not real! It is a mockup)
Thank you in advance.
I finally managed to get it working. I left out the AuthBasicProvider file directive and put a file into the directory. However, I would still be interested in getting it to work without placing a file into the directory. :)
Thank you for all who tried to help me solving the issue.

How to protect a webpage with a password?

I have a web app with a setting page that I would like to protect with a password so that unless the password is correctly entered the user cannot change any of the settings.
To add a password for a page on your website, you’ll need to modify the .htaccess and .htpasswd files on the server. Take a look at this link for the full details.
Basically you need to do these two things:
Modify (or add) the special text file on your server called .htpasswd, to contain the username and encrypted password separated by a colon on a separate line.
If you have SSH access, this can be done automatically using the htpasswd utility:
htpasswd -c .htpasswd ben
Otherwise you can modify/create the file manually, and handcraft the username/password using an online password encryptor. The linked-to site suggests these three:
4WebHelp's online .htpasswd encryption tool
Alterlinks .htaccess password generator
htmlite's htpasswd encryption page
As an example, for a username of ben and a password of password12345 you would use this line:
ben:51CbcBM13fOMo
Modify (or add) the special text file called .htaccess, in the folder where the settings page you want to protect resides, to contain the following:
AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "Protected Settings Page"
<Files "mySettingsPage.html">
Require valid-user
</Files>
Of course, /full/path/to/.htpasswd should be replaced with the full path to where the .htpasswd file resides on your server.
Likewise, replace mySettingsPage.html with your own settings page name.
Note that the AuthName string can be changed to suit.

.htaccess doesn't work correctly

I have a problem with .htaccess, my file looks like:
AuthUserFile "/home/user/.htpasswds/public_html/user/passwd"
AuthName "Lock"
AuthType Basic
require valid-user
And when somebody want to download file for example *.doc from this protect directories, login and password is required, but when somebody wants to download file *.pdf, password and login is not required. I don't know why login and password isn't check when someone is downloading pdf file?
I want allow downloading all kinds of files only for people who has a login and password.

Is there an equivalent setting in Apache (on a UNIX box) to prompt user login to view a site as Windows Authentication does in IIS?

I have been requested to setup a test site written in php, on a unix box. I have been given the site files and it is loading fine but I need to close it off from anonymous access. Is there a setting in Apache server that allows this to be done in the same way that Windows Authentication would in IIS. I understand that a login page could be added to the site but I am not a php developer and wanted to take advantage of existing functionality if it's there.
Thanks.
A simple solution would be to add an .htaccess file with something like this in your webroot:
AuthUserFile /<path>/.htpasswd
AuthType Basic
AuthName "Your Auth Name"
Require valid-user
Then you would need to add a .htpasswd file with your login credentials.
To add a .htpasswd file you could open your terminal and execute the following command:
htpasswd -c -b .htpasswd username password
The above will create a file name .htpasswd with username/password as login in the current directory.
Reference: Password Protection with .htaccess & .htpasswd

http digest authentication with .htpasswd

I am working on windows and for now I have Http Basic authentication with following .htaccess file:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile D:\\some\\windows\\path/.htpasswd
require valid-user
and following .htpasswd file for user "test" with password "test" (created using http://www.htaccesstools.com/htpasswd-generator-windows/):
test:$apr1$EUhLJ8Ye$LpBIbzDcBXY.80pH53oN2/
This works, I am able to enter correct username and password and I gain access.
But as I am not using SSL I would like to use Digest authentication (to avoid sending password in plain text to server). I changed line AuthType Basic to AuthType Digest but it is not working anymore - even if I am typing correct user and pass I cant gain access.
Probably I should encrypt/hash password in .htpasswd using different algorithm but I cant find it...
If you want to use digest authentication, you'll have to create new password files. Those for digest auth will have a slightly different format that that used for basic auth. Typically, apache comes with tools for doing this.
Look out for the command line programs "htpasswd.exe" and "htdigest.exe". You need to use the second one for generating password files for digest auth. Use it like this:
c:\path\to\htdigest.exe -c c:\some\windows\path.htpasswd_digest realm username
You'll only need "-c" the first time you issue the command, if you only add new users to an existing file, it's like:
c:\path\to\htdigest.exe c:\some\windows\path.htpasswd_digest realm another_username
"realm" should be the same value you used in your apache config for AuthName.
Oh, and obviously, don't forget to update AuthUserFile in your apache configuration...