The httpd password model closely parallels the Unix password
scheme. That is, you can define individual users who are given access
to a set of documents, and you can define groups of users to be granted
access. Two files, one containing the users and another containing the
groups, are needed for each directory you want to protect.
A simple example
The easiest way to see how password protection works is to look at a
Suppose we have a directory whose contents are to be restricted to three
users: larry, curly, and moe. As a first step, within this directory,
.htaccess file that looks like this:
AuthUserFile /someplace/else/htpasswd AuthGroupFile /dev/null AuthName Stooges AuthType Basic <limit> require user larry curly moe </limit>
Yikes! What does all this mean? Don't panic; it all makes sense:
AuthUserFileis the full pathname of the file
containing the password entries for your
authorized users. You should keep this file in some directory other
than the document directory; otherwise, someone could download your
password file and attempt to crack your passwords. We'll see how to
create this file a little later.
AuthGroupFileis not needed nere, so we set it to
AuthNamedefines the name of the security
realm for these documents. This name may be presented to the
user by the browser when they are prompted for the password, and it is
often cached by the browser so that a user need not be prompted more
than once for the same password for other documents in the same realm.
Use some name that indicates to the user the scope of these documents.
AuthTypedefines the type of authentication being
performed. Depending on your server, you may have many choices. The
most common and widely supported is
Once this file is in place, any reference to a document in this
directory will cause the user to be prompted for a password. The user
will enter a user name and password, which will be sent to the server.
The server will see if the username is defined the
AuthUserFile, verify that the password is correct, and
finally check to make sure that the user name is either "larry",
"curly", or "moe". If all three tests succeed, the user is granted