It is quite simple to use .htaccess on Windows. Simple instructions with screenshots here.
Enabling password authentication on Windows using Apache (and here’s a link if you wish to RTFM) given the knowledge that you are busy folks so these are merely quick instructions to get it working on Windows.
Some things to know beforehand:
- Path to your Apache server (e.g., c:\apache)
- Path to your CONF folder (e.g., c:\apache\conf)
- Path to your DOCROOT folder (e.g., c:\apache\htdocs)
- Path to the folder you wish to password-protect. In my
example, lets take a folder called “secure”, so the path to this
would be “c:\apache\htdocs\secure”. (It could be ABOVE the htdocs
folder as well, FYI).
Ok, let the show begin:
- Open up your httpd.conf. (On my machine this is at
“c:\apache\conf\httpd.conf”). - Look for the word called “AccessFileName”. I believe there
should be a line like this:AccessFileName .htaccess
- If you use Windows 2000 or above, then move on to step 4
(because you can create files like “.htaccess” on your system which
do not have anything before the dot in the filename. If not, then
change this line to the following:AccessFileName ht.acl .htaccess
- Then, we need to add the directory to the configuration.
Instead of rattling on about how to do it, here is a
screenshot:
alt=”This is what the HTTPD.CONF should look like. ” />Please note that “/apache” in the directory path means that it
starts from the root drive on my machine (“c:”). Adjust
accordingly. - Our httpd.conf is done. Now we need to create the password
file. Open up a DOS prompt and go to the apache’s BIN directory. In
my case, it is “c:\apache\bin”. Anyway, again, I think a screenshot
is more helpful.
alt=”Instructions for creating the password file” /> - Now, we need to create the HTACCESS file itself. As per point 3
above, either create a “.htaccess” or a “ht.acl”, whichever suits
you fine. I will keep my example to “ht.acl” because this works on
ALL windows systems if they use Apache 1.12…or above. Here is
what this looks like.
c:\apache\htdocs\secure\ht.acl
- Save the above file into your SECURE folder because it
represents only that folder context.
READY TO ROLL! (I restarted my Apache, just in case). Here is
what happens when I try to access my folder from the browser:
This post is tagged Tutorials
141 Comments
how to enable url rewriting in windows? thank you so much for this tutorial but htaccess on windows is not very useful to me unless i can also use is to mirror my rewriting on my production server which uses freebsd. thanks for any ideas.
Mark, did you enable your rewrite module in your httpd.conf? Uncomment this line if it exists:
LoadModule rewrite_module modules/mod_rewrite.so
Or just write it if it doesn’t already exist. That’s it.
you need to put ” ” around the path to the password file, section 2.2.2.6
Thanks Xcape. It works in the above example as there are no spaces in the path, but yes, if we had paths like this:
c:\program files\apache group….
..then quotes are useful! Thanks for the tip.
“If you use Windows 2000 or above, then move on to step 4 (because you can create files like “.htaccess” on your system which do not have anything before the dot in the filename.”
You sure? I can’t create a file named .htaccess in WIN2K
hi,
the tutorial is very nice, but there is something i did not understand !! as soon as i made the htaccess procedure , my apche server become very HEAVY !! is that normal ??
thanks for answering
John> Windows 2000 (I’m using Advanced Server on my server) will not allow the creation of .htaccess files in the explorer, but if you save a notepad fiel as .htaccess, and rememeber to set the file type as “All types”, it’ll save the .htaccess file all well and good. And then copying and pasting the file works, as well as editing it’s content.
First a very good tutorial, the best I have found on this subject.
A few comments. when creating a new file on windows XP (right click,new/text_file then rename to ‘.htaccess’) I get a system error ‘You must type a filename’. Then when I rename it to ht.acl my system thinks the file is a ‘AutoCorrect List File’ which might or might not cause problems!! I renamed it to ‘ht.ac’
Then I added c: to the change in httpd.conf file as I assume this may be needed.??
I restarted apache and tested my newly secured folder…. I got the user/pass prompt
but my username and password failed 
- I have recreated my password file several times to check the spelling etc but the this has not helped 
If anyone has any suggestions please email me, or post here. thanks
Hi Stuart,
Thanks for the kind words. You’re lucky you’re on Win XP because I bet it works.
(1) For creating .htaccess, don’t create it inside Explorer. Open Notepad, type something and SAVE AS “.htaccess” and choose the file type as “ALL FILES”. Works without a croak.
(2) For Apache and your password file in general, I would delete everything and start afresh instead or renaming files etc. Just follow the instructions here from step 1. I created a new test secure folder and it works immediately. FYI, I tested this on my Win XP box which has Apache2 running. (Could test it for you on Win2K and Win98 as well).
Hope this helps! -Shanx
Thanks Shanx,
I started again (removed the previous files etc) and it worked
Thanks agian, Stuart
I’m using winXP with apache server I followed all the directions above but when I send my browser to the specific file, it says forbidden you don’t have access to /secure/ on this server. If I put a link from another page to it, it goes straight in without the asking about password or username, any ideas.
Thank you
You must have some other settings in your HTACCESS that may be conflicting with these security settings. Can you perhaps share your HTACCESS file? You can email me personally if you prefer.
So has anyone been able to use windows authentication with Apache 1.3.x?
Yes, I have. Are you having problems with it?
If you cant create a .htacess file in windows you can use dos.
1) Create a simple htaacess file in notepad just save it as “htacess” no “.”
2) Run -> Cmd
3) No we are in dos/command promptyness
Here
ren htaccess .htaccess
Hi guys,
I’m running xp with apache version 2.0.47. I have created the .htaccess file and left the these lines in in my conf file
Order allow,deny
Deny from all
When i try to access the secure directory it lest me in with out any prompt for a password plus i dont see the .htaccess file listed when i get in through browser
can anyone advise me what i should do to get it to work cheers
i followed the instructions to the letter (im running apache/1.3.29 on windows 2000). The first time i did it i just got an internal server error message. So i tried again and this time it justlets me access the files, no question of putting a password or username in.. Anyone else had these problems ?
Thanks for all, I tested it with Apache 2 on Windows 2000.
Works fine :)
Chris Traverse, you need to tweak your HTACCESS file, most likely. If you still haven’t got it working, please write to me personally with a sample of your HTACCESS file attached. HTH, Shanx
This didn’t work just like this, i had to put:
AllowOverride All
Options None
Order deny,allow
instead just “/apache/htdocs/secure”
running apache 1.3.27
Excellent tutorial
Wonderful tutorial.
I have noticed many tutorials out there giving code and so forth, but none mentioned directives.
So, am I to understand that [nc] or [r,l] is a directive?
If so, is there a specific .htaccess manual for this?
When creating a .access file on windows systems:
Type one in notepad
Save As
“.htaccess”
It is important to remember the quotes; they’re the things preventing the .txt extension and the filename alert when you only use an extension.
Hi,
I am running windows 2003 and apache 2. I followed your instructions, but if i go to secured area it doesn’t ask me for login (#7)
here is my config please help as I need to bring my site live ASAP. thanks
Shashank’s Edit:
Your .htaccess file is here, due to the length
Thank you- works like a charm with my apache 2 server
Nick, Thanks for the htaccess file, but it was huge and made this page overflowing so I have moved it into a separate file on this server. As for the problem, where is your “Directory” directive? Pls read the instructions and follow them to the letter. Once it works, as in the example on this page, then try for your own paths etc.
hi all.
nice tutorial.
I was wondering. Is it possible if you already set up a protected folder to add users via a sort of webbased script.,so dont have to physicly be at the server, but can remotely add an user account thnx
Hi popeye, you can swing by this cool tool: http://www.awtrey.com/support/scripts/htpass.php ..this is CGI, but you can get an idea and implement this in whatever language you wish..HTH, Shanx
I tried in W2k, thx it works but I can find a log off feature - I can access the “secure” directory again even I closed the IE after accessing it!
Any suggestion on making a log off session?
I got another trick to make windows accept filename .htacces
I have acces to a webdirectory and when I rename my file overthere, it’s no problem, so then I copy it back to my local protected directory et voila, it works! :)
Just wanted to thank you for having the answer I needed. Keep up the great work.
this is a nice tutorial but im having problems. i want to protect a director called “S04” in a directory called “jdang” in my htdocs. my apache is located in “c:\Program Files\Apache Group\Apache2”, so here is the relevant part of my httpd.conf file:
AccessFileName .htaccess
AllowOverride All
Options None
Order deny,allow
here is my .htaccess file (and yes, i properly named it as a .htacess in windows XP)
AuthUserFile “/Program Files/Apache Group/Apache2/passwd/passwords.txt”
AuthName “S04”
AuthType Basic
require valid-user
My password file is located in “C:\Program Files\Apache Group\Apache2\passwd\passwords.txt”
When i test it, i go to “http://xxx.xxx.xxx.xxx/jdang” I don’t see my folder “S04”. So, I manuall type in “http://xxx.xxx.xxx.xxx/jdang/S04” and it asks me for my username and password, and it accepts the username and password, but it comes up with this error:
Forbidden
You don’t have permission to access /jdang/S04/ on this server.
I know my username and password is correct because if i type in an incorrect combination it will just prompt me for my username and password again.
Sorry for the really long post, but could anyone help me?
Thanx very much for this tutorial!
I search around day and no one could help me!
Now it works…. Thanx
I’m having problems wiht this tutorial. Everytime I keep trying to access my folder that I set for authentication, it gives me a forbbend message. Here is my .htaccess file:
AuthUserFile “C:/Program Files/Apache Group/Apache/bin/passwd.txt”
AuthName “This is my secret area”
AuthType Basic
require user beetle
Can some one help. Thank you.
When I upload .htaccess or ht.acc to any directory on my server, my entire website got effected.
eg. when I create directory called secure, even my main / request for login.
Please help…
Hi guys,
The instructions in the tutorial above work for any Apache installation on any version of Windows.
If you are having problems even after making SURE that you have followed the instructions above, then the only other possibility is that you have something in your htaccess file that conflicts with the new instructions.
In this case, the only way out is for you to send me (privately) your .htaccess file and let me look at it for possible anomalies.
Thanks, Shashank
I’m using Apache 2.0.49 on Win2k
I’m using a .php script over Apache and set the
$z_apache_auth = true; # Append Apache user:password to playlist urls.
This is working fine for winamp… but my linux friends with xmms aren’t getting in..
dealt with this scenario?
Why doesn’t the secure folder list in the root folder of the server.
E.g. the folder /secure does not show up at all, you have to type in the address manually…
Hi Olmen, I am not sure I understand the question. What is your path structure?
I don’t know what the problem is….I followed your instructions exactly, but when i go to the directory that is supposed to be protected, I keep getting:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@123456.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log. — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — Apache/2.0.49 (Win32) Server at 12345.afraid.org Port 80
my docroot is C:\webroot, Apache is under C:\web servers\apache2. If there’s anything else I should be doing, please tell me. Thanks in advance!
Jesse-
If a path in the .htaccess file has spaces in it, you must enclose it (the path) in quotes. 8^)
hi
the tut is really nice
my phpmyadmin path is c:/phpdev3/www/html/phpMyAdmin
my docroot folder is c:/phpdev3/www/html
my apache BIN folder path is c:/phpdev3/apache/bin
I want to prevent acceess to the phpMyAdmin folder so i created a passwd.txt file as required in BIN folder of Apache….
I added the necesary comments to the httpd.conf file in the CONF directory of Apache…..
& i created a .htaccess file in the phpMyAdmin folder with the necessary contents……
but when I try to access phpMyadmin folder, it tells me the following message
Forbidden
You don’t have permission to access /phpmyadmin/ on this server. — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — Apache/1.3.19 Server at ballast Port 80
it does NOT ask me for the username & the paassword
Kaushik,
Can you share the section of your httpd.conf? I believe your path there may be wrong, or it may be conflicting with another directive in your file. Shanx
ok ive got it to ask me for a user and pass hurrah
but i then get the message Forbidden
You don’t have permission to access /secure/ on this server.
what have i missed ? tia.
This is a great tutorial, definitely the best I’ve seeen on the subject.
Similarly to others I think I’ve got a conflicting directive as once I am presented with the pop up box and I correctly enter my login details I get the following message:
“Forbidden
You don’t have permission to access /si/ on this server. — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — Apache/1.3.27 Server at localhost Port 80”
My Apache access log states
“127.0.0.1 - irfan [08/Jul/2004:12:20:20 +0200] “GET /si/ HTTP/1.0” 403 304”
My Apache error log states
“[Thu Jul 08 12:20:20 2004] [error] [client 127.0.0.1] Directory index forbidden by rule: d:/home/www/si/”
My ht:acl file reads:
“AuthUserFile “c:/Program Files/EasyPHP1-7/apache/bin/passwd.txt”
AuthName “Documentation Area”
AuthType Basic
require valid-user
”
Is this in contrast with my httpd.conf file directives ?
”
DocumentRoot “D:/home/www”
Options FollowSymLinks Indexes
AllowOverride All
Options Indexes FollowSymLinks Includes
AllowOverride All
Order allow,deny
Allow from all
AllowOverride All
Options None
Order deny,allow
”
Thanks for pointing me in the right direction
PROBELM SOLVED
(IfModule mod_dir.c)
DirectoryIndex index.html index.htm index.shtml index.php
(/IfModule)
my index file had a .htm extension and .htm wasn’t listed in the above.
sorry for all the messages but at least you can now say that this tutorial is so great it even works on NT ;) thanks!
Great tutorial! This helped me out of a jam this morning. Nice work…
Heres somthing a bit difficult… i followed your tutorial like so and when i got to access the protected directory i get a 500 Internal Server Error… here are the specs.
Operating System: Windows XP Pro SP2
Apache Server Version: 2.0.50
httpd.conf file:
http://www.itxserv.com/myhttpdconfigfile.txt
ht.alc file:
http://www.itxserv.com/secure/ht.alc.txt
Any suggestions would help….
http://www.itxserv.com/secure/ this is the correction for http://www.itxserv.com/secure/ht.alc.txt
nevermind.. i fixed it lol… Excellent tutorial btw..
This guide is the by far the best I have encountered. I have no prior Apache experience and this saved me big time. Thanks!
This tutorial is good. But i have one question here.
If my Apache is different in a different server with my web applications. How do i set the path for the in httpd.conf
AllowOverride All
…………….
…………….
Can anyone please help?
Thank you.
#
# Based upon the NCSA server configuration files originally by Rob McCool.
[trimmed due to size]
above is my httpd.conf……I’m using winXP with apache server I followed all the directions above but when I send my browser to the specific file, it says forbidden you don’t have access to /secure/ on this server. If I put a link from another page to it, it goes straight in without the asking about password or username, any ideas.
Shanx,
have you thought about a forum? it is hard reading such long posts (nothing against the persons), for me anyway.
Please, post ONLY the relevant points in your solutions guys and gals. This makes it easy to evaluate, the usefulness and accuracy, and also makes easy reading.
I am really sorry for any disruption. If admin wants to take it off, no problem. But if any body knows the problem please do let me know. thanks
Your problem Shumam lies here (look at the arrows — >). You have given rights, but in the alias taken it away also. This should be corrected, either None or All. — — — SNIP — — — DocumentRoot “/web tools/machine_reporter/”
AccessFileName ht.acl .htaccess
AllowOverride All — > Allow All
Options None
Order deny,allow
Alias /machine_reporter/ “C:/web tools/machine_reporter/”
Options MultiViews
AllowOverride None — > Allow None for the same folder. — — — — - SNIP — — — — — tips:
- Check your Error_Log file in “c:/web tools/logs”. The answer is always in there.
- try not to use spaces in the names of folders (“web tools” should be “web_tools”), this is better.
reply:
Notice I did not correct it for you? I wanted you to get use to searching and correcting errors(I presume you are a Admin). Trust me, this is the best way, and incase it doesnot work, you have a start where and how to look.
I did not mean it like it sounded above, I apologise.
Shumam forget the crap from above(if that’s not working)the error Forbidden is because you do not have an index.html, index.php etc. file in the secure folder. People, do y’all remember this setting in your htconf file? -Indexes
This means noone is allowed to browse the folder when there is no index file. So, create an index file in the secure folder, tada!!.
That works! thanks
Thanks for providing this great tutorial. Its so much easier following examples than just reading about features without seeing them applied in a context! Good on you mate;)
I am not prompted for any file names can you look at this and see what I did wrong. thanks
DocumentRoot “D:/Program Files/Apache Group/Apache2/htdocs”
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all
UserDir “My Documents/My Website”
AllowOverride ALL
Options None
Order deny,allow
AllowOverride ALL
Options None
Order deny,allow
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
Order allow,deny
Deny from all
TypesConfig conf/mime.types
DefaultType text/plain
MIMEMagicFile conf/magic
Dave,
Which folder do you wish to secure? I’ll assume it is the “admin_phone” folder.
1. Make sure your “AccessFileName” command is ABOVE any of the DIRECTORY directives.
2. Make sure the .htaccess file is in the “admin_phone” folder.
Actually, before you try an admin_phone folder, can you try the example mentioned above, as-is, including the folder names etc?
This tute was just what I needed, had spent nearly 1 week trying to make .htaccess run locally like it does on my server, no joy atall ti’l I used this method of creating the password file, also using the .htacl extension if the appache httpd file helped I think, muchos thankos for this. regards. Sean
Thanks for providing this great tutorial. Thanks,
Finally made it work - but the process was complicated by the existance of “Virtual Hosts” on my server. And that part is not covered here.
In another set of instructions (somewhere), I remember vaguely, that entries are to be made into that virtual hosts section, if that’s where the portion of the server and host to be secured is located. Nothing worked (no username/password challenge) until I added lines to the main Httpd.conf section just under “AccessFileName .htaccess” line up there.
Anyway, I got quite confused over all this and would appreciate some specific instructions when “Virtual Hosts” is involved.
Thanks, Brian
Great tutorial, but i can’t get it to work properly, have tried several things with various results, right now it doesn’t ask for a password.
Could anyone please help me?
jkue nailed it….I had the same access problem (forbidden) until I added the index file to the directory that was protected. Otherwise the tutorial is excellent.
I found the apache manual to be sufficent for instructions on .htaccess and what to do, even for the beginner like me
Hi,
This tutorial is really wonderful.I have gone through the steps and implemented the steps as stated by you. but i do not get any pop-up window asking for username and pswd.
I am using Win2k with apache server.
If anyone thinks its insecure to send your unencrypted password over, and over again to the website use these settings: — — — — — — — -
.htaccess — — — — — — — -
AuthType Digest
AuthDigestFile /u/soft/www/secure/.htpasswd
authname “Secured Login” — — — — — — — -
This setting will enctrypted your password (MD5) before sending it to the website. Mind this: the data send/received are not encrypted!
What is the use of this:
When you receive a 401 error, you a promt to login. When you do, your browser will remind your password so the next page will not promt you again. But your browser will log you in automatically.
You don’t mind, but your password will be send over-over and over again unencrypted over the internet.
A simple network sniffer could receive your internet traffic and retreive your password.
This setting will make that a bit harder to do.
Mind this: Older browsers might not support this feature (IE 4.0&lower).
TeDaDeS, where do you put this code?
AuthType Digest
AuthDigestFile /u/soft/www/secure/.htpasswd
authname “Secured Login”
i tried putting it in ht.acl and when i tried to access the site, the broswer gave me an error saying that “The server encountered an internal error or misconfiguration and was unable to complete your request.”
any help please
Does the paths work on long file name?
Restrict Access Using Htaccess on Windows
I wrote a simple web application for stock management to be used inside the company(by only a staff). I got a request to implement password protection to the system.
I do not want to modify database and modify the codes(and I am lazy
). So, the …
superb tutorial!
to those who had problem please try this tutorial as it is first.
u will much understand the flow and easier when you want to try your own setting.
one more thing to remember, try change to this setting in the IE > Tools > Internet Option > Temporary Internet Files > Choose every visit to the page.
I managed to setup my own htaccess. It works fine if i restart apache(after make adjustment to httpd file) & reload IE but fail when i click GO button. So the workaround to this problem is as above. (“Choose every visit to the page”).
Good luck!
Thanx for this wonderful tutorial! Bravo!
I haven’t see anything about the fact apache usually forbid all user to access .ht files. If you decide to use anything else than .htaccess like :
AccessFileName foo.txt
You should change this in httpd.conf :
Order allow,deny
Deny from all
Satisfy All
According to this it also mean that you can place your password.txt in the same folder than .htaccess and rename it to .htpasswd or .htanything_you_want. Nobody will be able to get it.
In the case of foo.txt I guess the following should work:
Order allow,deny
Deny from all
Satisfy All
password file can be something like foo.txtpasswd
My error log shows
“[Sat Feb 19 00:13:00 2005] [alert] [client 218.212.23.129] C:/Program Files/Apache Group/Apache2/htdocs/phpmyadmin/.htaccess: AuthUserFile takes 1-2 arguments, text file containing user IDs and passwords”
the passwd.txt is in C:/Program Files/Apache Group/Apache2/bin/ already but it seems it’s returning an error saying it’s not. Why?
I’m trying to protect C:/Program Files/Apache Group/Apache2/htdocs/phpmyadmin/
hey this might be stupid but I dont know the answer, and you guys seem to know a lot about it. Everything i have is working fine, the tutorial for everything worked great. but i dont know what it should look like in my passwd.txt file. I know the username and pass goes in there, but ive tried to put
username cat
password dog
and nothing works. plus im sure its not encrypted, should I worry about that and if so ,what should I do about it? pauly
Ok, I just posted something, but I did the whole cmd prompt thing to encrypt the password in the passwd file and it worked, perfectly! but It wont let me in when I put in the info! pauly
I have managed to set up htaccess on an externally hosted website but am having trouble setting it up on the local machine. I think my problem is with the directory setting in .htaccess.
The directory to be protected is:
C:\www\private
The password file is called passwds and is in the directory passwords, i.e.:
C:\www\private\passwords\passwds
My apache server is under:
C:\Program Files\PHP Home Edition 2\Apache2
Do I put in my AuthUserFile: “/private/passwords/passwds” (minus the “”),or;
“localhost/private/passwords/passwds”, or;
“C:/www/private/passwords/passwds”, or some other possibility that hasn’t occurred to me yet?
I have set the httpd.conf file to “AllowOverride All” for the directory C:/www, so the prompt box for login now shows up, but I suspect that it cannot find the passwds file which is why I cannot log in.
Any advice would be appreciated.
regards
Megan :o)
Great, Works just fine ! thanks for all .
Megan, and others, please make sure that you’re using the path to Apache as demonstrated in this tutorial. I know Apache installs into “c:\Program Files” which is the Windows default, but Program Filles has a space between the two words, which is a cause of headache in most occasions. If it’s not too much of a bother, reinstall your Apache to c:\apache or something. And retry JUST AS SHOWN in the tutorial on this page. Let me know if problems still persist.
Resime:
XP, Apache 1.3
1)
Create passwords file:
C:\oracle\splet\Apache\Apache\bin>htpasswd passwd.txt marko
Automatically using MD5 format on Windows.
New password: *****
Re-type new password: *****
Adding password for user marko
… and so on, for adding new users… (without -c) Password for my marko is: marko
2)Under htdocs create directory: safe_dir
Open Notepad, write:
AuthUserFile c:/oracle/splet/apache/apache/bin/passwd.txt
AuthType Basic
AuthName “Safe dir 1”
Require user marko metka
Save as ht.acl into the safe_dir
3)
Open httpd.conf and find and change:
# This controls which options the .htaccess files in directories can
# override. Can also be “All”, or any combination of “Options”, “FileInfo”,
# “AuthConfig”, and “Limit”
#
##AllowOverride None — comment it out
AllowOverride All
4)
Create test.htm and save it in safe_dir
5)
Run Appache, test access to the test.htm
Why original manual above did’t work on my PC:
I create ht.acl instead of .htaccess
I create passwd.txt instead of passwords
regards Igor
Hi there,
I’ve been trying to protect access to a folder following the steps explained in the tutorial, but the problem now is that I can still access the folder using my explorer. There’s no box asking me for y username and passwd…
I did the following:
- In my http.conf file, I added the following:
AccessFileName .htaccess
AllowOverride All
Options None
Order deny,allow
I created the passwd.txt file in the folder
D:\Program Files\Apache Group\Apache2\bin
After that I created the .htaccess file containing the following info:
AuthUserFile “d:/Program Files/Apache Group/Apache2/bin/passwd.txt”
AuthName “This is my secret area”
AuthType Basic
require valid-user
I saved this file in the following folder:
d:/Program Files/Apache Group/Apache2/htdocs/secure
After that I stopped Apache and started it again.
I opened my browser, typed in ‘localhost/secure’.
The content in this folder was displayed.
How can I solve this problem?
Thanks, Tom
Hello,
I set up authentication on my site using your tutorial and I thank you very much. however I have a question. I set up authentication on my machine running Apache 1.3.33 and it works perfectly. I tried to set it up on my friends machine running Apache 1.3.27 and it only partially works. I copied all the settings from my machine to his and set up the aliases. When you try to go directly to the restricted file ‘modify.pl’, you are asked for a username and password. However if you click on a link from the current page to ‘modify.pl. you are not prompted for a username and pass. Does anyone have an idea? Is this a bug with that version of apache and url re-directing? Any help would be nice…here is my config set up:
httpd.conf:
AccessFileName ht.acl
ScriptAlias /cgi/ “C:/computers/cgi/”
AllowOverride All
Options ExecCGI
Order deny,allow
Allow from all
ht.acl file:
AuthUserFile C:/computers/passwd.txt
AuthName “Enter user name to Edit”
Authtype Basic
require valid-user
and my password file is located C:/computers/passwd.txt
This works fine if i go directly to the page or if i go using a link on my Installation, but it doesn’t ask for authentication on my friends when re-directed from another page. Anyone have an idea?
Thanks Alot and great tutorial, Alex
Hey, I have followed this great tutorial but I was unsuccessful. I get to the password prompt, but I can’t get past that. I have an index.html as well.
can you do any formatting of that password popup window? change the font? multiple lines? images?
Hi Joey,
The window will most likely appear differently on different browsers and different OSes.
Although you can change the message that a user sees by inserting a newline character (“\n”) in your AuthName text. This should allow multiple lines.
A customized login that coincides with the rest of your site is neat from a design point of view, I guess, but do you really want to spend that much time on a login screen that a user spends no more than a second on? Especially with all modern browsers supporting “Remember password” functionality.
FWIW, you can customize the error message that appears if the user cancels the login by customizing Apache’s Authorization Required (401) page. Shashank
Dear Sir,
I was stuck in my office for this reason, i was not able to do make password protected directory on client’s site. i got this page from google and i tried, hoooray it is fantastic i done it. thank you for CEO, developers…of this site. and i m very glad to see the Indian name below this page Mr. Shashank Tripathi as as Indian. Thanks a lot to everybody there.
Thanks & Rgds,
Sameer Pal Singh sameerpalsingh@rediffmail.com
I must agree this is an awesome post and was very helpful. I followed the steps although once everything was complete and I went to see if it would asking me for username and password it didn’t. Im not sure what’s exactly wrong. Im running windows 2000 and apache 2.0.53 If someone might be able to point out what’s wrong that would be great.
Liz, others for whom the tutorial doesn’t work. Please make sure you have the paths in your files properly specified and put inside double quotes if you have spaces in your folder names.
For instance, on my Apache2, my .htaccess file looks like this: — — — — — AuthUserFile “d:\Program Files\Apache\Apache\bin\passwd.txt”
AuthName “Secret area”
AuthType Basic
<Limit GET POST>
require valid-user
</Limit> — — — — — And my httpd.conf entry looks like this: — — — — — <Directory “d:/program files/apache group/apache2/htdocs/sniptools/secure”>
AllowOverride All
Options None
Order deny,allow
</Directory> — — — — —
Excellent tutorial. I followed your instructions and it worked first time perfectly on my WinXP machine.
I’d been searching for a good explanation of how to do this for some time and this one actually did the trick.
Thank you!
Thanks, this one really helped, I did know how to protect the directory in other webspaces, but this one showed me what to do with the apache conf on my own web server :)
Dude thanks very much for this very imformative + view of the created .acl files is a great advantage. Just out of interest how secure is using this method?
Great writeup! However, I noticed with Apache2, Apache uses the “httpd.default” .conf file instead of the httpd one. I don’t know if this is just me, but just thought I’d share, because I was having fits getting it to work until I realized this.
thanks for that very detailed tutorial!
got my server protected very quickly!
Cheers for the easy-to-follow instructions.
I have managed to get the thing working, but I have to enter the username/password twice, in identical login windows, before Apache will let me in. Not a serious problem but a minor irritation that I would like to deal with if anyone can help.
I have do like your instruction with Apache 2.0.55 but can not ! when I log in to http://localhost everything as normally without password protecd ! Could you please help me ! Thanks.
Having some trouble.
running Win xp pro service pack 1
.htaccess file looks like this
AuthUserFile C:/Apache Group/Apache2/bin/.htpasswd
AuthName “Members Area”
AuthType Basic
required Valid-user
config file looks like this
AccessFileName .htaccess
AllowOverRide All
Options None
Order deny,allow
When I try to test it , it gives me a 500 internal error
Can anybody help
Email: ghost1@nctv.com
subject .htaccess
thanks in advance
In the .htacces file I have:
AuthUserFile D:\streznik\www\reiki.htpasswd
AuthName “Members”
AuthType Basic
require valid-user
and in the .htpasswd I have:
admin:$apr1$Qh/…..$zBrg27pYbkwKIWypvMQQ6.
Created by command prompt :
htpasswd -c -b .htpasswd admin test
it gives me 500 internal error with the comment in the error log:
d:/streznik/www/reiki/.htpasswd: Invalid command ‘admin:$apr1$Qh/…..$zBrg27pYbkwKIWypvMQQ6.’, perhaps mis-spelled or defined by a module not included in the server configuration
Directorz settings:
DocumentRoot “D:\streznik\www\reiki”
ServerName reiki.petyasfreeworld.com
# Other directives here
AllowOverride AuthConfig
Options None
Order deny,allow
I also tried with AllowOverride All, but nothing changed.
I have Apache 1.3 on Windows 2000. It’s pretty rare configuration and I’m not sure that .ht files works there. Can you help me? I would like to stay on this configuration, because I’m not familiar with *nix systems.
Please help.
I’ve have many of the same “Forbidden” errors you have all had. Finally figured it out. I assume most of you are viewing Directory Indexes…
So
You need to have the following instead:
AllowOverride All
Options Indexes None
Order deny,allow
Without “Indexes” you will lose access to the directory views once you login.
Hi ,
I tried with the above tutorial . I found internal server error.When i checked my error log i found follwing statements:
/stage/app/reportsdata/.htaccess: Invalid command ‘AuthUserFile’, perhaps mis-spelled or defined by a module not included in the server configuration.
As i am sure AuthUserFile is not mis-spelled . The 2nd one tells about the required module. If anybody has any idea on this module please help me out.
Mangal — in the modules section of your httpd.conf, is the following module enabled (does not have the hash sign at the beginning of the line) — mod_auth_db? Shashank
Thanks Shashank.
Now i am getting the username and password pop up.When i am giving the username and password as i have created in the passwd.txt file, it failed.I tried all the steps once agin but the found no result.Can You suggest something.
If the password isn’t working, your password file is either being saved in the wrong place, i.e., it is not consistent with the path in the ht.acl (under the section “AuthUserFile”), or you are entering the password incorrectly.
Top tutorial! I have been trying to get this htaccess thing working for several weeks now, but nothing worked. The very first time I did things according to this tutorial it worked right on! Great! Thanks!
Thanks for all, this tutorial is very easy, and good, i am not use .htacces all configuration in the config file httpd.conf
: = )
Thanks a lot for your succint and precise help.
Hi Shashank,
I’ve got Apache 2/php5/mysql5 running on Windows 2003. I ‘m interested in creating websites for each of our staff members — say about 50 users. These websites will not be publicly available, they will mirror websites on our public website, and once the information has been approved the files will be transferred to their duplicate public sites by the administrator.
My question, is this htaccess authentication method the way to password protect these “not public” directories? I’ve got a basic understanding of namevirtualhosts but I’m very confused on how to set-up Apache for multiple users with different passwords. And if possible, I’d like it to be setup so that these folks can use their existing network passwords.
Any assistance or direction you can provide would be GREATLY appreciated, I’m googled out and I still don’t know what approach to take. Lsa
I have followed the step which you have given i am getting the window asking for the username and password, i have given the username and password that i have created on passwd.txt also created ht.acl file inside the secure folder
My problem is login cardinels are not validating pls advise me for the same
Hi guys, i followed the tutorial, and i think im doing exactly as it says, but it doesnt work, the password box is not prompting.
here is my htaccess file
AuthUserFile “c:/apache2/bin/passwd.txt”
AuthName “lalalal”
AuthType Basic
requiere valid-user
hii frend i have try it but when i restart the apache still zero ,no change i use windows 2000 profesional,
and this configuration
Apache(1.3.23),
MySQL(3.23.48)
PHP(4.1.1).
any body help me
Thank you for the quick-manual! Helped me get the .htaccess to work also in Windows! Tooks some loooooongs nights to tweak this out
One thing that was keeping me unsuccessfull was that I used those long filenames in the paths, e.g.
C:\Program Files\Apache Software Foundation\Apache2.2\htdocs
but after changing them all (including the path to the password file) to “DOS-Friendly” the system started to work without any problems - e.g. C:/PROGRA~1/APACHE~1/Apache2.2/bin/.htpasswd
Just a thank you. It works as described for.
Thanks alot Marco
Nice tutorial, but I have one problem. I configured my Apache and now all my sites get an 403 error and at no one a prompt to login.
I can get the Apache challenge box to come up, but it does not accept my password, but keeps popping up the challenge box.
This also occurs when I pop up the challenge box directly, that is, without having an .htaccess file:
The problem is that when I add the login and password, there is no $_SERVER[PHP_AUTH_USER] or $_SERVER[PHP_AUTH_PW]. I can confirm that by commenting out the lines above, inserting:
print_r($_SERVER);
and submitting the Apache challenge box. The display of print_r does not include variables for PHP_AUTH_USER or PHP_AUTH_PW.
I’m using Apache 2.0 and PHP 5.1.4
I answer my own question:
The box that I was working on had PHP installed as a CGI executable. When you load PHP as a module, as indicated in the tutorial, it works, even on Windows.
Thank you very much! This worked fine on my WinXP Home w/ Apache 2.2.2, PHP 5.1.4, i.e. 6, Firefox 1.5. all on my humble little notebook. I am amazed this thread is over 3 years old. Thanx for sticking with it and helping all of us either getting back on board or just breaking in!
nice tutorial
but my username and password is not working. it just say ur not authorised.
thank you man!!!! you really help me with this small tutorial.everything working great.
i have problem with forbidden erros
and I check my logs error
here it is
[Wed Aug 02 11:36:47 2006] [error] [client 127.0.0.1] File does not exist: C:/Apache2/htdocs/favicon.ico, referer: http://localhost/
where do i get favicon.ico
please help
Hi,
Can somebody help me with my problem. I created one of those web sites that will ask you for your pass word on Windows. However, when I enter the password, it looks like that the pass word is not recognized. I am not sure what I am doing wrong.
Thanks for your help.
Hi,
I keep getting an “Internal Server error” . Other pages on my webserver can be accessed but this error shows when i try to access the ‘secure’ folder.
My .htaccess file is exactly the same as in the steps above.
Any advice will be much appreciated. Ricky.