[howto] Protect a section with HTTP authentication (.htaccess)

ruud · 2006-08-02 09:01:20

Suppose your website is at http://example.com and TXP is installed in the root directory and you want to use HTTP authentication to protect the section called ‘protected’ (http://example.com/protected).

This example assumes your website is hosted on an Apache webserver and that you already have an existing .htpasswd file containing usernames and passwords.

Physically create that directory ‘protected’
Within that directory ‘protected’, create the following .htaccess file:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule ^(.*) ../index.php
</IfModule>

AuthType Basic
AuthUserFile /path/on/server/to/.htpasswd
AuthName "Only for registered users"
require valid-user

Last edited by ruud (2007-02-11 12:17:21)

masa · 2006-08-02 11:06:57

You’d also want to check your host’s control panel whether that offers an automated way to create the .htpasswd and .htaccess files for you – Textdrive does.

tyee · 2007-02-11 02:28:45

Will this work with any CMS that uses a mySQL database instead of physical page files?? This is so cool if it will. I’ve been searching for days on how to do this.
I think it should be written like this, yes. please confirm??

<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^(.*) ../index.php </IfModule>
AuthType Basic
AuthUserFile /path/on/server/to/.htpasswd
AuthName “Only for registered users”
require valid-user

This would be great if it would work everywhere.

Thanks
tyee

Last edited by tyee (2007-02-11 03:29:41)

ruud · 2007-02-11 12:19:11

I’ve updated the code, see above. If that other CMS works in a similar way, then yes, it can work. Only one way to find out: try it ;)

tyee · 2007-02-11 21:23:18

Hi ruud

Yes, I’ve been trying it many different ways and I always get taken back to my main index.php page. In another post I asked a question on how to interpert the code here. I guess you may answer in that other post.

But is this line —- RewriteRule ^(.*) ../index.php—— letting the texpattern index.php redirect to the protected section??

tyee

ruud · 2007-02-11 21:50:08

It’s needed, because otherwise TXP wouldn’t handle the request and you would see a directory as the webserver itself would display it.
When you’re allowed to visit the protected directory (which exists physically on the server), the RewriteRule prevents that physical directory from being shown to the user. Instead it redirects the request to Textpattern’s index.php (which would have happened if that protected directory hadn’t existed physically on the server), so TXP can show the section you really wanted to see.

Normally, sections in TXP don’t have a corresponding physical directory. It is all handled by index.php. To be able to password protect with .htaccess, a physical directory is required, but… when you request a file or directory that physically exists, the default TXP installation will no longer take care of it; instead that real, physical directory/file will be shown by the webserver. The rewrite rule overrides that by saying: even though there is a physical file/directory here, we still want TXP to handle the request. Because that happens after the authentication step, you get what you want: a password protected TXP section.

Last edited by ruud (2007-02-11 21:51:01)

tyee · 2007-02-11 23:16:15

Hi ruud

Thanks for the reply and explanation. I’m wondering how come my cms then redirects to my index.php and stays there. The RewriteRule must need something else that’s not needed in textpattern. I have posted this question on my cms’s forum also.

Thanks
tyee

woollyhat · 2007-02-15 23:35:04

To get TXP to produce clean URLs, I use the .htaccess file in my root directory as follows:

<code>DirectoryIndex index.php index.html
#Options +FollowSymLinks
#RewriteBase /

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) – [PT,L]

RewriteRule ^(.*) /index.php </IfModule>

php_value register_globals 0</code>

BUT… I can’t get the method in this post to work for a subdirectory I want password protected. Is there something obvious I’m doing wrong? Many thanks for any help offered!

NathanLogan · 2007-04-11 21:30:24

Assuming you’ve already tried the FAQ way of doing things and it didn’t work for you (like it failed to work for me), I developed this script and added it to the top of my root index.php file:

$directory = "/root-relative/web/path";  // NO trailing slash here
$dir_length = strlen($directory);
if ( strtolower($directory) == substr(strtolower($_SERVER['REQUEST_URI']),0,$dir_length) ) die;

If you want to protect multiple directories, here’s the array version:

$protected_directories = array("/root-relative/web/path", "/another/path");  // NO trailing slashes here
foreach ($protected_directories as $directory)
{
		$dir_length = strlen($directory);
		if ( strtolower($directory) == substr(strtolower($_SERVER['REQUEST_URI']),0,$dir_length) ) die;
}

It worked for me. Hopefully you experience the same results. =)

laptophobo · 2010-05-24 22:28:41

Hello ruud,

In your topic, you state:

…you already have an existing .htpasswd file containing usernames and passwords.

I looked for this file, couldn’t locate it. Is this something that I would have to create? I do have several User accounts in Textpattern Admin > User.

joebaich · 2010-05-24 23:40:35

Hello,

Yep, you would have to create the .htpasswd file to match Ruud’s .htaccess file. The format is easy though:

username1:password for username1
username2:password for username2
etc

This file must go in a non web user accessible location referenced by AuthUserFile /path/on/server/to/.htpasswd in Ruud’s .htaccess file.

See this article, for instance, but there are lots of others too.

Cheerio for now.

laptophobo · 2010-05-25 17:21:13

Hello Joe! Thanks for helping me (all of us) through this password protection application.

As I compare your initial thread with that of the article you directed me to (at: http://tools.dynamicdrive.com/password/) I’m left a little unsure (if not confused).

Here’s my need:

I wish to protect a Section called “private-page” on a Page with the same name.
FYI: my root directory is located at: www.mywebsite.com/html_docs/.

This is how I understand the instructions:

First, I should create a folder/directory (within html_docs) with the name of “private-page” (since that is the name of the Page and Section I wish to protect). Inside that folder will be a file called “.htaccess”. In that file will be the following script:

<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^(.*) ../index.php
</IfModule>

AuthType Basic
AuthUserFile /html_docs/.htpasswd
AuthName “Only for registered users”
require valid-user

As for the “.htpasswd” file, I read that it should not be left in the root (per above) but within another folder. Could it go in the cgi-bin folder? If so, then the new file location (per above) would be: AuthUserFile /html_docs/cgi-bin/.htpasswd.

Would this be correct?

Continuing on…

In that .htpasswd file will be the content (created by the dynamic password generator that you recommended and is mentioned above). It would look like this:

userone:DBug7D03zsUY7
usertwo:DBug7D03zsUY7

So, with the .htaccess file in the “private-page” directory, and the .htpasswd file in either the root or “cgi-bin” directory, that is all I need to do to protect the Textpattern section and page called “private-page.” And that there is no tag applied to the Page itself?

THANK YOU for your knowledge and assistance.

Textpattern CMS

Textpattern CMS support forum

#1 2006-08-02 09:01:20

[howto] Protect a section with HTTP authentication (.htaccess)

#2 2006-08-02 11:06:57

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#3 2007-02-11 02:28:45

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#4 2007-02-11 12:19:11

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#5 2007-02-11 21:23:18

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#6 2007-02-11 21:50:08

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#7 2007-02-11 23:16:15

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#8 2007-02-15 23:35:04

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#9 2007-04-11 21:30:24

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#10 2010-05-24 22:28:41

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#11 2010-05-24 23:40:35

Re: [howto] Protect a section with HTTP authentication (.htaccess)

#12 2010-05-25 17:21:13

Re: [howto] Protect a section with HTTP authentication (.htaccess)

Board footer