HTMLisEasy.com
HTML tutorials for the rest of us...
  Lock HTTP Authentication: example & run-through  
<< HTTP Authentication Intro

Now we are going to create the file that holds the usernames and encrypted passwords. This business of creating passwords is handled by a program on the server called htpasswd. The first time you do this, you do two things... 1)You create a file named .htpasswd and 2) you create the first username/password pair.

Type htpasswd -c .htpasswd jimmy

SimpTerm screen capture

You will be asked to enter the password twice (enter page).

SimpTerm screen capture

Done! That's it. Everything in that directory is protected.

Here is a quick review of the steps involved again...

Now I'll add a user. We'll add user freddie with password ss345 (Close everything. We'll start from scratch.)

Telnet to the account and cd to the protected directory...

SimpTerm screen capture

Type htpasswd .htpasswd freddie (Translated this means use the program htpasswd to add new user freddie to user file .htpasswd)

You will be prompted for freddie's password twice...

SimpTerm screen capture

Bingo! New user. Try it. (username is freddie, password is ss345)

Note, access to that directory is allowed for as long as you have your browser open. If you zip right on in without being prompted for a password it may be because you've previously gained access (possibly using jimmy/page). You could close your browser and try again.

As you accumulate users, your password file (.htpasswd) will start looking like this..

jimmy:.oRioUQCKQxrU
freddie:IpVTuxjtdzFqM
ralphie:OEfpigpLicSS2
billg:eubiaEVYpugW6
grant:5nAoq3e89lBtQ

To delete a user, simply delete his line in the password file. There are a couple ways to do this. One is to Telnet to the directory, open the password file in pico (pico .htpasswd) and delete it there. Or, you can use your FTP client to download .htpasswd, remove the appropriate line and send it back up.

A couple more notes...

Most browsers will offer to save the password for you. If you allow this, the username & password is encrypted and saved in a special file on your computer. Then, if and when you go back to that page, the site will ask for authentication and your browser will provide your saved user/pass and you'll gain access. In most instances this is done seamlessly and in the background and it will seem just like accessing a regular non-protected page.

I should also mention that HTTP authentication is not the only server based password protection scheme used. There are others. Some of these may not use the HTTP authentication method described above. Some may use an entirely different method.


And that wraps it up for me. I hope this little run-through has been of some use to you. And once again, let me stress.... some of this stuff can seem monumentally confusing the first, second and even third time out. But I promise, the more you do ANYTHING, the easier it will become...

<< BACK
GateKeeper - Javascript Password Protection
GateKeeper 1  ·  GateKeeper 2  ·  GateKeeper 3  ·  HTTP Authentication  ·  The Vault
HTML 4.0 Reference      Barebones HTML Guide