.htpasswd files

Forum Moderators: phranque

Message Too Old, No Replies

.htpasswd files

above the root directory

brancook

12:05 am on Nov 15, 2006 (gmt 0)

I'm going through a short tutorial that I found about password protecting a page with .httaccess and .htpasswd files. It states in the tutorial the following:

"For security, you should not upload the htpasswd file to a directory that is web accessible (yoursite.com/.htpasswd), it should be placed above your www root directory"

I'm confused as to how to do this. I'm using the ftp client that is provided by my webmaster and I don't seem to have access to anything other than my www root directory.

crevier

10:11 pm on Nov 15, 2006 (gmt 0)

Then you can't do it. You'll have to put your .htpasswd file in your root directory. The issue though is that you just don't want people to be able to read that file (even people who are logged in). If so, the reader can easily see all your login ids by just visiting: [domain.com...]

Web visitors can't get above your root directory, hence the suggestion. Another solution though is to add a directive to your .htaccess file that tells apache not to allow any requests for files that start with ".ht". Here's what I use:


<Files ~ "^\.ht">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

Apache itself will still be able to read your ".ht..." files but not web site visitors.

The only caveat is that it's possible that your web host account may not allow you to have such a directive in your .htaccess file. My suggestion is to try it and see. And if you have problems, check with the webmaster you mentioned.

brancook

12:38 am on Nov 21, 2006 (gmt 0)

Thanks for your help. I'll give that a shot. I have a pretty cheap hosting plan right now. Maybe I should consider upgrading

.htpasswd files

above the root directory

brancook

crevier

brancook

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week