FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.
Knowledgebase: Password Protection
How do I password protect part of my web site?
Posted on 24 October 2003 04:10 PM

Password Protection: Automagically

You may password protect any directory within your cgi-bin or /www/ directory using your FutureQuest package's CNC. Once inside your CNC, click in to the File Manager and navigate to where you can see the directory that you want to password protect. From there, follow these steps:

  1. Click on the check box next to the directory you will be protecting and then click on the Password Protect button in Command Menu located at the bottom of the file list.

  2. Read the information provided and then click on Add User.

  3. Fill in the requested information (username and password) and click the Submit button.

That's all there is to it. If you would like to edit/add/delete any of the users or passwords you may do so using the CNC's Password Protect feature by repeating Step 1 above and following the instructions from there.

*Note:  You may also protect a directory by using the "Add IP Address" option instead (or in addition to) of Password protection.  When you Add an IP address any connections from that IP address will be allowed access to the directory regardless of any Password Protection.

See this special note about the stats directory:
Password protection for my stats?

Password Protection: Manually

This is a tutorial on password protecting directories using .htaccess files. You will need to use the command line for this one, therefore this method is recommended for Advanced Users and assumes a general working knowledge of SSH. For beginners, the CNC method outlined above is recommended.

For this tutorial, you'll need to connect to your account via SSH. See Suggested SSHv2 clients for some suggested SSH clients you can use.

A list of common SSH commands can be found at the link below:
Common Unix/Linux Commands Used Via SSH

When connected to your domain via SSH, you should see a prompt that looks something like this:
[username@FQ-Six:~ ]$

Before we start, let's move to your account's root directory (/big/dom/xdomain). To do so, type:

    cd /big/dom/xdomain

Make sure to replace xdomain with your xdomain. (Hint: In most cases, this is your domain name without its extension. If the domain example.com was hosted by FutureQuest, more than likely its xdomain would be xexample. Refer to your Activation Letter for your xdomain if uncertain.)

(Alternatively, if you have just logged in, you should be able to just type cd .. to move up to /big/dom/xdomain.)

You should then see a prompt something like this:
[username@FQ-Six:/big/dom/xdomain ]$

Password File
The next step is to create a directory to store the password file (the password file will contain our user list). You can call this directory anything you want. As you are creating it within your account's root directory (/big/dom/xdomain), the password file will not be accessible from the web (nor should it be!). For this tutorial, we will use the name protect for our directory.


    mkdir protect

Now that we have a place to store it, let's create our password file. We will call it passwords for this tutorial. Decide on a username and password to add, which will be required when someone tries to access the directory that you are password protecting.

NOTE: Usernames may not include a : (colon). Passwords should be at least 6 characters long and contain at least one number (0-9) and one letter (a-Z).

To add a user named john, you would type the following (replacing xdomain with your actual xdomain):

    htpasswd -cm /big/dom/xdomain/protect/passwords john

You will now be prompted for a (new) password for john. Type the password you've selected for that user and hit Enter. After hitting Enter, you will be prompted for the password again in order to confirm it. Type the same password again and hit Enter. You should now see a success message which indicates that a password for that user has been added.

Now, if you want to add more users to the passwords file, just type:

    htpasswd -m /big/dom/xdomain/protect/passwords username
where username is the name of the new user to add.

IMPORTANT: Notice we did not type the c when adding another user. The c switch (-c) says to create the file, so you ONLY use it when initially creating the new file. The m switch (-m) instructs to use MD5 encryption on the password. (There are other options, however they are not addressed in this guide.)

If you need to change a user's password, just type:

    htpasswd -m /big/dom/xdomain/protect/passwords username

Important: Again, do not use the -c option except when initially creating the passwords file as, if it already exists, it will be rewritten.

You will be prompted for the new password twice. You will not need to type the old password.

.htaccess File

The next step is to create an .htaccess file (or add to it if one already exists) in the directory to be protected. You can do so using a text editor available on your computer (Notepad or similar), the editor available in the CNC, or you can use a command-line editor installed on the server (such as vi, pico, or mcedit). For this tutorial, we will be using pico. (If you want to learn more about pico, see Using the Pico Text Editor.)

For this example, we're going to password protect our stats directory. (If your stats directory is not password protected (see Password protection for my stats?), we do recommend doing so.)

From your account's root directory (/big/dom/xdomain), you would type:

    cd www/stats

    [press the Enter key]

    Then type:

    pico .htaccess

    [press the Enter key]

As there is already an .htaccess file in the stats directory, you are now inside of it and viewing the contents of that .htaccess file. If there is not an existing .htaccess file in the directory you are working in, you are now in the process of creating one.

In the .htaccess file, type the following:

    AuthUserFile /big/dom/xdomain/protect/passwords
    AuthName "Restricted_Access"
    AuthType Basic
    require user username

Make sure to replace username with a username that you have entered in your passwords file. This will only allow the user(s) specified to have access to this directory.

When your user list is larger, instead of listing the valid users in the .htaccess file, you may want to use the following non-specific directive in place of "require user username":
    require valid-user

When using the above, you will not specify the usernames in the .htaccess file. Only the passwords file will contain the list of valid users. (Caution: Using this method, you will want to be sure that all users contained within the passwords file should be granted access to that specific area.)

You can also use something other than Restricted_Access -- this is the message that will be displayed to the user when they are prompted for a password. Whatever message you decide to use, be sure to use the quotes, keep it concise, and avoid using spaces to prevent strange behavior with certain browsers.

When finished, hold down the Ctrl key and hit the x key. You will then be asked if you want to save - type y for yes. It will ask you to confirm the filename - just hit the Enter key to do so.

If you used a text editor on your computer to create the .htaccess file, you may need to initially save the file as htaccess.txt as some text editors will not allow a filename preceded with a dot. (Hint: In Notepad, using the Save As option, you can type ".htaccess" (with quotes) and it will save it correctly.) After saving the file, upload the file in ASCII / text format to the directory you want protected. If you had to name the file as .htaccess.txt, you can use the File Manager in the CNC to rename it. In order to work correctly, the file does need to be named .htaccess, without the ".txt" part.

Note that the protection will automatically extend to any directories inside of that directory as well.

Removing password protection
To remove a user, see the following guide:
Delete Users from Password Protected Directories

If you wish to remove password protection from the directory altogether, you can use the Password Protect option in the CNC and just Delete all users from that directory. Or, you can manually remove the password protection directives from the .htaccess file. If the .htaccess file is only being used for password protection, you can delete or rename it to disable it. If the passwords file is not being used, it can be removed as well.