Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2006-08-02 09:01:20

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

[howto] Protect a section with HTTP authentication (.htaccess)

Suppose your website is at http://example.com and TXP is installed in the root directory and you want to use HTTP authentication to protect the section called ‘protected’ (http://example.com/protected).

This example assumes your website is hosted on an Apache webserver and that you already have an existing .htpasswd file containing usernames and passwords.

  1. Physically create that directory ‘protected’
  2. Within that directory ‘protected’, create the following .htaccess file:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule ^(.*) ../index.php
</IfModule>

AuthType Basic
AuthUserFile /path/on/server/to/.htpasswd
AuthName "Only for registered users"
require valid-user

Last edited by ruud (2007-02-11 12:17:21)

Offline

#2 2006-08-02 11:06:57

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: [howto] Protect a section with HTTP authentication (.htaccess)

You’d also want to check your host’s control panel whether that offers an automated way to create the .htpasswd and .htaccess files for you – Textdrive does.

Offline

#3 2007-02-11 02:28:45

tyee
New Member
Registered: 2005-09-01
Posts: 5

Re: [howto] Protect a section with HTTP authentication (.htaccess)

Will this work with any CMS that uses a mySQL database instead of physical page files?? This is so cool if it will. I’ve been searching for days on how to do this.
I think it should be written like this, yes. please confirm??

<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^(.*) ../index.php </IfModule>
AuthType Basic
AuthUserFile /path/on/server/to/.htpasswd
AuthName “Only for registered users”
require valid-user

This would be great if it would work everywhere.

Thanks
tyee

Last edited by tyee (2007-02-11 03:29:41)

Offline

#4 2007-02-11 12:19:11

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: [howto] Protect a section with HTTP authentication (.htaccess)

I’ve updated the code, see above. If that other CMS works in a similar way, then yes, it can work. Only one way to find out: try it ;)

Offline

#5 2007-02-11 21:23:18

tyee
New Member
Registered: 2005-09-01
Posts: 5

Re: [howto] Protect a section with HTTP authentication (.htaccess)

Hi ruud

Yes, I’ve been trying it many different ways and I always get taken back to my main index.php page. In another post I asked a question on how to interpert the code here. I guess you may answer in that other post.

But is this line —- RewriteRule ^(.*) ../index.php—— letting the texpattern index.php redirect to the protected section??

tyee

Offline

#6 2007-02-11 21:50:08

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: [howto] Protect a section with HTTP authentication (.htaccess)

It’s needed, because otherwise TXP wouldn’t handle the request and you would see a directory as the webserver itself would display it.
When you’re allowed to visit the protected directory (which exists physically on the server), the RewriteRule prevents that physical directory from being shown to the user. Instead it redirects the request to Textpattern’s index.php (which would have happened if that protected directory hadn’t existed physically on the server), so TXP can show the section you really wanted to see.

Normally, sections in TXP don’t have a corresponding physical directory. It is all handled by index.php. To be able to password protect with .htaccess, a physical directory is required, but… when you request a file or directory that physically exists, the default TXP installation will no longer take care of it; instead that real, physical directory/file will be shown by the webserver. The rewrite rule overrides that by saying: even though there is a physical file/directory here, we still want TXP to handle the request. Because that happens after the authentication step, you get what you want: a password protected TXP section.

Last edited by ruud (2007-02-11 21:51:01)

Offline

#7 2007-02-11 23:16:15

tyee
New Member
Registered: 2005-09-01
Posts: 5

Re: [howto] Protect a section with HTTP authentication (.htaccess)

Hi ruud

Thanks for the reply and explanation. I’m wondering how come my cms then redirects to my index.php and stays there. The RewriteRule must need something else that’s not needed in textpattern. I have posted this question on my cms’s forum also.

Thanks
tyee

Offline

#8 2007-02-15 23:35:04

woollyhat
Member
Registered: 2006-12-28
Posts: 12

Re: [howto] Protect a section with HTTP authentication (.htaccess)

To get TXP to produce clean URLs, I use the .htaccess file in my root directory as follows:

<code>DirectoryIndex index.php index.html
#Options +FollowSymLinks
#RewriteBase /

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) – [PT,L]

RewriteRule ^(.*) /index.php </IfModule>

php_value register_globals 0</code>

BUT… I can’t get the method in this post to work for a subdirectory I want password protected. Is there something obvious I’m doing wrong? Many thanks for any help offered!

Offline

#9 2007-04-11 21:30:24

NathanLogan
Member
From: Idaho
Registered: 2004-10-05
Posts: 24
Website

Re: [howto] Protect a section with HTTP authentication (.htaccess)

Assuming you’ve already tried the FAQ way of doing things and it didn’t work for you (like it failed to work for me), I developed this script and added it to the top of my root index.php file:

$directory = "/root-relative/web/path";  // NO trailing slash here
$dir_length = strlen($directory);
if ( strtolower($directory) == substr(strtolower($_SERVER['REQUEST_URI']),0,$dir_length) ) die;

If you want to protect multiple directories, here’s the array version:

$protected_directories = array("/root-relative/web/path", "/another/path");  // NO trailing slashes here
foreach ($protected_directories as $directory)
{
		$dir_length = strlen($directory);
		if ( strtolower($directory) == substr(strtolower($_SERVER['REQUEST_URI']),0,$dir_length) ) die;
}

It worked for me. Hopefully you experience the same results. =)

Offline

#10 2010-05-24 22:28:41

laptophobo
Member
Registered: 2010-03-01
Posts: 216
Website

Re: [howto] Protect a section with HTTP authentication (.htaccess)

Hello ruud,

In your topic, you state:

…you already have an existing .htpasswd file containing usernames and passwords.

I looked for this file, couldn’t locate it. Is this something that I would have to create? I do have several User accounts in Textpattern Admin > User.


Living the Location-Independent Life: www.NuNomad.com

Offline

#11 2010-05-24 23:40:35

joebaich
Member
From: DC Metro Area and elsewhere
Registered: 2006-09-24
Posts: 507
Website

Re: [howto] Protect a section with HTTP authentication (.htaccess)

Hello,

Yep, you would have to create the .htpasswd file to match Ruud’s .htaccess file. The format is easy though:

username1:password for username1
username2:password for username2
etc

This file must go in a non web user accessible location referenced by AuthUserFile /path/on/server/to/.htpasswd in Ruud’s .htaccess file.

See this article, for instance, but there are lots of others too.

Cheerio for now.

Offline

#12 2010-05-25 17:21:13

laptophobo
Member
Registered: 2010-03-01
Posts: 216
Website

Re: [howto] Protect a section with HTTP authentication (.htaccess)

Hello Joe! Thanks for helping me (all of us) through this password protection application.

As I compare your initial thread with that of the article you directed me to (at: http://tools.dynamicdrive.com/password/) I’m left a little unsure (if not confused).

Here’s my need:

I wish to protect a Section called “private-page” on a Page with the same name.
FYI: my root directory is located at: www.mywebsite.com/html_docs/.

This is how I understand the instructions:

First, I should create a folder/directory (within html_docs) with the name of “private-page” (since that is the name of the Page and Section I wish to protect). Inside that folder will be a file called “.htaccess”. In that file will be the following script:

<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^(.*) ../index.php
</IfModule>

AuthType Basic
AuthUserFile /html_docs/.htpasswd
AuthName “Only for registered users”
require valid-user

As for the “.htpasswd” file, I read that it should not be left in the root (per above) but within another folder. Could it go in the cgi-bin folder? If so, then the new file location (per above) would be: AuthUserFile /html_docs/cgi-bin/.htpasswd.

Would this be correct?

Continuing on…

In that .htpasswd file will be the content (created by the dynamic password generator that you recommended and is mentioned above). It would look like this:

userone:DBug7D03zsUY7
usertwo:DBug7D03zsUY7

So, with the .htaccess file in the “private-page” directory, and the .htpasswd file in either the root or “cgi-bin” directory, that is all I need to do to protect the Textpattern section and page called “private-page.” And that there is no tag applied to the Page itself?

THANK YOU for your knowledge and assistance.


Living the Location-Independent Life: www.NuNomad.com

Offline

Board footer

Powered by FluxBB