1

I'm trying to password protect a directory on my site. I can get the .htaccess working so that when I visit the directory a password prompt is shown, however when I put the correct credentials that I've stored within my .htpasswd file I am not granted access. The password prompt just pops up again.

I believe it's a problem with the path to the .htpasswd file in the .htaccess file. I've checked my document root (_SERVER["DOCUMENT_ROOT"]) and it shows that the root is this: 

/var/www/vhosts/myurl.info/httpdocs

so my .htaccess looks like so:

AuthName "Restricted Area"
AuthType Basic 
AuthUserFile /var/www/vhosts/myurl.info/httpdocs/.htpasswd 
AuthGroupFile /dev/null 
require valid-user

I've put the .htpasswd in the root document folder (httpdocs).

Any ideas what I'm doing wrong? Everything looks correct to me.

Improve this question
5
  • 1
    Are you sure your htpasswd is in correct format? username:passwordhash Commented Oct 29, 2012 at 12:52
  • I used to hat a problem that apache couldn't read/write. Might be this? Commented Oct 29, 2012 at 12:58
  • file permissions on directories and files are correct....apache can access those files Commented Oct 29, 2012 at 13:36
  • htpasswd is in format myuser:mypass Commented Oct 29, 2012 at 13:37
  • are you sure its in the correct place ? mostly if you have a httpdocs it appears under home/username/www/ It may be pointing at an empty file ? Commented Oct 29, 2012 at 13:58

3 Answers 3

Reset to default
5

If the path were invalid, you'd get a 500 error or something. Since the browser prompts for password, most likely the path is correct. However You need to make sure you generated the htpasswd correctly. Check this- http://www.htaccesstools.com/htpasswd-generator/

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

YES! I was doing everything correctly but I didn't realise that my password needed to be encrypted! I was just doing myusername:plainpassword
I didn't realize I was that slow in typing a comprehensive answer! @elduderino
Upvote for you @AlvinWong anyway. elduderino I think httpdocs could be your web root directory. I highly suggest you move your .htpasswd file from httpdocs folder to somewhere which is not accessible to public.
4

Make sure the .htpasswd is in the format of user:passwordhash, where passwordhash can be of the following types:

  • CRYPT (a kind of cryptographic hashing, only the first 8 characters are supported so beware not to choose a password longer than 8 characters)
  • MD5 (an Apache-specific algorithm that make uses of the MD5 function, a bit similar to cryptographic hashing)
  • SHA1 (only one possible outcome per password, so the resulting hash can probably be reversed if a hacker managed to get the .htpasswd file)
  • Plain text (you can always create this format, but note that "the httpd daemon will only accept plain text passwords on Windows, Netware and TPF". Also using plain text is unsafe because if a hacker gets the file he will know all your passwords)

Normally you will choose CRYPT, but if you have a longer password consider MD5 or SHA1. Never try to use plain text as it is not supported on Linux and is dangerous.

Improve this answer

Comments

0

First try to remove line "AuthGroupFile /dev/null" - I don't specify it if not using group file...

If it doesn't help - have a look in error.log of apache... it'll give you hints. Of post relevant part of the error.log here...

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.