Welcome to WebmasterWorld Guest from 107.23.37.199

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

.htpasswd files

above the root directory

     
12:05 am on Nov 15, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


I'm going through a short tutorial that I found about password protecting a page with .httaccess and .htpasswd files. It states in the tutorial the following:

"For security, you should not upload the htpasswd file to a directory that is web accessible (yoursite.com/.htpasswd), it should be placed above your www root directory"

I'm confused as to how to do this. I'm using the ftp client that is provided by my webmaster and I don't seem to have access to anything other than my www root directory.

10:11 pm on Nov 15, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 19, 2005
posts:44
votes: 0


Then you can't do it. You'll have to put your .htpasswd file in your root directory. The issue though is that you just don't want people to be able to read that file (even people who are logged in). If so, the reader can easily see all your login ids by just visiting: [domain.com...]

Web visitors can't get above your root directory, hence the suggestion. Another solution though is to add a directive to your .htaccess file that tells apache not to allow any requests for files that start with ".ht". Here's what I use:


<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

Apache itself will still be able to read your ".ht..." files but not web site visitors.

The only caveat is that it's possible that your web host account may not allow you to have such a directive in your .htaccess file. My suggestion is to try it and see. And if you have problems, check with the webmaster you mentioned.

12:38 am on Nov 21, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


Thanks for your help. I'll give that a shot. I have a pretty cheap hosting plan right now. Maybe I should consider upgrading