Hello. I'm trying to set up a private section of my website for testing and I'm having a problem where my .htaccess / .htpasswd protection always rejects my password. I've set permissions to 604 on both files as recommended by my web host and both files reside in the same subfolder.
At first I tried setting the password in the .htpasswd file from OS X's Terminal using the htaccess command. When that didn't work I hashed it using an online tool to generate the hash. It hashed differently but still doesn't work.
I'm uploading via Fetch (FTP).

If anyone has ideas as to why this might be happening I'd greatly appreciate your feedback.

Edit: I should mention that my .htpasswd file path is absolute.
Also I want to move this discussion to the "Apache" section, but seems I can't. Moderators please move if possible.

Can you show the .htaccess code? Apache offers three different modules:

  • mod_auth
  • mod_auth_digest
  • mod_aut_dbm

are these enabled? Have you used htpasswd or htdigest to generate the password file? You wrote about htaccess command but this does not exists. For more information check this: http://httpd.apache.org/docs/2.0/howto/auth.html

To "move" the thread you can add the tag Apache to the current thread, check at bottom-left of this page.

Thank you. The contents of my .htaccess file:

AuthUserFile http://mydomain.com/sandbox/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure area. Please enter admin password."
AuthType Basic
require valid-user

I meant htpasswd command. Sorry, brainfart.
htpasswd -c .htpasswd secure
And then set the password. I checked the output file and everything looked right.

As for the three Apache modules, I hadn't heard of those but I read the page you linked to. So since I'm using AuthType Basic that means I'm using the mod_auth module.
(I may want to use AuthType Digest at some point, but I'd rather get the basics down first.)

Ok, change it to:

AuthType Basic
AuthUserFile /absolute/path/to/.htpasswd
AuthName "Secure area. Please enter admin password."
Require user secure

For the AuthUserFile directive you have to set an absolute path to the file, as example: /srv/auth/.htpasswd, not an url. Then as Require user set the one used with the htpasswd command, in you example is secure, so secure will be the username.

Regarding the link provided check also the documentation regarding the new versions of Apache, there are more modules and settings that can be used.

Thank you for the suggestion. I had been confusing the concept of absolute filepath with absolute URL. Since both point to the same file it hadn't occurred to me to differentiate.

It's still not working though.

How do I know what the absolute filepath is?
For example my home page is /index.html
So my password would be /sandbox/.htpasswd

That is what the server would consider an absolute filepath, right?
Since a relative filepath would be ./.htpasswd
Or am I missing some important bit of info here?
I don't know what directory is above the site root, nor do I know how to navigate to it using my FTP client. (But as long as I set permissions correctly for both files I shouldn't need to store them anywhere higher - is my understanding.)

If my filepath is correct, my next things to consider are:
1. Is my computer hashing in the same way as the server? (I am on a Mac and I presume the server is UNIX or Linux, but the command htpasswd should hash the same on any 'NIX system, right?)
2. What is the significance of AuthGroupFile /dev/null (my hosting provider uses this in their example)

Thanks again.

Another consideration:
3. Although I am setting permissions to 604 does it make a difference where the file resides at the time permissions are changed? (Since I'm changing it on my computer and then FTP uploading it.)
Just trying to think of every possible variable that might cause a problem.

To get the full path you can run pwd from the command line or run a PHP command as:

php -r 'echo __DIR__; echo PHP_EOL;'

It can be also a script file:

<?php
    echo __DIR__;
?>

Running this from the path in which is saved the .htpasswd file, will return the correct path to set. Another alternative is check the DocumentRoot value in your Apache config or by PHP:

<?php
    echo $_SERVER['DOCUMENT_ROOT'];

A relative path can be used in relation to the ServerRoot:

The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute (i.e., if it doesn't begin with a slash), it is treated as relative to the ServerRoot.

Note that DocumentRoot and ServerRoot are different, the first is for your files, the second refers the server installation.

The hash generated automatically by htpasswd is a MD5 digest, it starts by $apr1$, and is not the same of the typical MD5 hash, the result will be always different, for more information: http://httpd.apache.org/docs/current/misc/password_encryptions.html
So, it's not a problem to run the command in different systems and uploading the file. It will work.

AuthGroupFile /dev/null refers to a group of users, in this case is pointing to /dev/null, i.e. it's referring to an empty value. Unless there is a specific setup in your hosting company, AuthGroupFile is optional and can be omitted.

If the server can read the file, your permission settings should not be a problem. You can try it by setting the same permissions to a read script and then try to run it from the browser, if it loads then it's working fine.

Hope it helps!

commented: Thank you! It's working now! The problem was I didn't know the absolute path. But your PHP script revealed it to me. Thank you! +0

Thank you so much! It's great to have this working. It had been bothering me for days.

Now that that the big burning question is out of the way, I have a few less important questions if you're up to it.

  1. Does the login session ever expire?
    Or now that I've typed the password from this computer it will always let me in until I clear cookies or something?

  2. How can I test to make sure the permissions are set correctly so that it can't be hacked?
    I did as my hosting provider instructed so it's probably fine. Just wondering if there's a best practice for testing.

  3. You suggested "check the DocumentRoot value in your Apache config" - how can I do this?
    Might be good to know how for the future.

You're welcome. When you close the browser the access permission will expire. Has security measure the .htpasswd file should be placed out of the web root, i.e. outside the DocumentRoot. Although this is "secure" it does not prevent brute-force attacks, to do that you should consider solutions like fail2ban:

But I don't know what kind of hosting plan are you using.

To check Apache config browse to /etc/apache2 and check the available files. If you don't have access to that directory check with your hosting documentation.

Consider this howto: http://httpd.apache.org/docs/current/howto/auth.html

commented: You're awesome! I appreciate your help. I'll look into fail2ban and see if I can access the apache2 directory. +0
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.