Using .htaccess and .htpasswd, Tips and Tricks by Arthur S. Gautesen

When password protecting a directory or tree, it is important to consider a few things in advance. Also remember that you do not need to use the same password file for every directory. In theory, you could have 20 different password files (stored in the same spot) for 20 different directories, each with a completely different user/password list (it could get confusing, but it is an option).

Also, you need to consider if you want any subdirectories to be publically accessible, when the parent directory is password protected. Depending on the web server software, that may not be a viable function. As a result, I would recommend that you work on your logical layout to separate public accessible folders/subfolders from ones that require restricted or authorized access. It reduces the chance of a hacker going into a publically accessible subfolder, then attempting to find an exploit to enter a password protected parent folder.

The .htaccess file for that folder/subfolder group that requires password protecting, will need to contain the following information:

AuthUserFile /services/webpages/isp/providername/yad/yadda/arthurg/private/.htpasswd
AuthType Basic
AuthName "This Password Protected Area."
AuthName "Second line of this Password Protected Area."
Require valid-user

As you can see, the AuthUserFile location is based from the root folder of the drive's file system, not dynamically located from your login area to the website development area. Using AuthType as Basic is can be changed to another type, but for most home users just protecting a folder, you really do not need a different authorization type. The AuthName is what appears in the box requesting your username/password (and you can have more than one line if you really want). As you are restricting access to this folder/subfolder, you want to only allow authorized personnel, hence the need to "Require valid-user" so if they fail the login attempt, they will not access the folder.

The .htpasswd file contains nothing more than a username and hash value of the user's password

Arthur:9flfE/1lurp4c
arthur:9flfE/1lurp4c

If you vary typing your username into the system (like me), then it helps to remember to account for the variations in your own typing style. I included in the above password file the option if I use a initial upper case letter, or not.