What is .htaccess and how does it work?

  • Bill_Thompson
  • Student
  • Student
  • User avatar
  • Posts: 81

Post 3+ Months Ago

What is .htaccess and how does it work in setting up webpages that are only viewable with membership?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Funny_Fuzz
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1517

Post 3+ Months Ago

.htaccess is a language (If you can call it that) that is used mainly for executing functions mainly involving the server.

Lets say you want the folder "Members Area" password protected. You put the .htaccess file containing:

Code: [ Select ]
AuthName "Members Area"
AuthType Basic
AuthUserFile /home/httpd/vhosts/yourdomainname/httpdocs/yourusername/.htpasswd
Require valid-user
<Files .htaccess>
order allow,deny
deny from all
</Files>
  1. AuthName "Members Area"
  2. AuthType Basic
  3. AuthUserFile /home/httpd/vhosts/yourdomainname/httpdocs/yourusername/.htpasswd
  4. Require valid-user
  5. <Files .htaccess>
  6. order allow,deny
  7. deny from all
  8. </Files>

inside the folder you want password protected.

To get the login to popup. You create a page inside the folder "Members Area" to be the main page for that folder. Let's just call that file "Home.html". In the Index/Homepage of your website, you create a link with the URL http://www.yourdomain.com/Members Area/Home.html.

.htaccess effects the whole website and folder. So clicking that link will activate the login script.

Unfortunately... the only way to logout, is to exit the browser unless you get some really complicated PHP codes that really confuse me. The best thing about .htaccess, is that it is pretty impossible to get past. It is absoloutely fool-proof. Because the passwords are encrypted, the .htaccess contains this script:
Code: [ Select ]
<Files .htaccess>
order allow,deny
deny from all
</Files>
  1. <Files .htaccess>
  2. order allow,deny
  3. deny from all
  4. </Files>


which makes it impossible to see the .htaccess file. So it's very good for security.

A little extra stuff to help you.
This script can become very useful in some situations.

IP Address Banning:
Now for this, there are different ways of blocking the IP address.
Create another .htaccess file - but put this in your main directory. Now this is where it gets a bit more tricky.

There are different ones to choose from.
A)
Code: [ Select ]
deny from all

this will block every single IP address known to existence.

B)
Code: [ Select ]
deny from 000.000.000.00.0

this will block the IP address from the exact address shown.

C) do the same but instead of "deny" change it to "allow" this will do the opposite of the one mentioned above.

D)
Code: [ Select ]
deny from 000.000.000

Notice how there are less numbers? That means that it's a IP address range instead of an exact address. Say you wanted a IP address such as:888.999.666.77.0 to be blocked and aswell as everything between it and 888.999.666.88.0. That is what you do.

Another useful trick
Customized Error Pages:
Code: [ Select ]
ErrorDocument 404 http://www.yoursite.com/404_Error.html


This script makes the page "404_Error.html" appear every time a 404 error happens.

To do the others such as: 401 Error - Unauthorised access, you change it to:

Code: [ Select ]
ErrorDocument 401 http://www.yourwebsite.com/403_Error.html


That is pretty much the basics of .htaccess as well as password protecting.

This was bits of a .htaccess tutorial I wrote for someone a long time ago, so please excuse me if it's hard to understand
Hope that helps you, good luck! :thumbsup:
  • Impel GD
  • Professor
  • Professor
  • Impel GD
  • Posts: 834
  • Loc: Cologne, Germany

Post 3+ Months Ago

Apache Tutorial: .htaccess files

apache.org wrote:
In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.

.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.
  • pedrotuga
  • Proficient
  • Proficient
  • User avatar
  • Posts: 315

Post 3+ Months Ago

Hey Funny_fuzz.. thats a piece of nice and easy understandable documentation.

Nice that you didnt just google-and-paste-link :)

Sometimes help forums can get a lot of "found this on google", lol.

It is important to create a good consistent documentation base.

well... anyway, Impel, i think that apache.org means that u should not get lost among a mess of permition setings all over your folders.

But when using a comercial payed little webspace, the costumar dont have access to any server settings. Then i think using .htaccess its kind of the only way... i think thats what they mean
  • Impel GD
  • Professor
  • Professor
  • Impel GD
  • Posts: 834
  • Loc: Cologne, Germany

Post 3+ Months Ago

pedrotuga wrote:
Hey Funny_fuzz.. thats a piece of nice and easy understandable documentation.

Nice that you didnt just google-and-paste-link :)

Sometimes help forums can get a lot of "found this on google", lol.

It is important to create a good consistent documentation base.

Well, if you don't mind me saying so, my reply was a lot more useful than your's.

If I know something about the subject in question that hasn't been repeated across the internet thousands of times I'll post it. In this case I'm not familiar with the subject and, if you observe the post times, Funny_Fuzz hadn't submitted his nice tutorial when I clicked the reply button. In my view, a short reply pointing someone in what is probably the right direction is better than none at all. Computers and this internet thing are very good at potentially saving continual repition of data, so why shouldn't links be used? Nonetheless, in future I will remember to PM you for permission before posting.

pedrotuga wrote:
well... anyway, Impel, i think that apache.org means that u should not get lost among a mess of permition setings all over your folders.

But when using a comercial payed little webspace, the costumar dont have access to any server settings. Then i think using .htaccess its kind of the only way... i think thats what they mean

Well, yes... that's what I made of it as well (it's obviously relevant to Bill_Thomsons's fairly broad question so I included it here).
  • Funny_Fuzz
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1517

Post 3+ Months Ago

Quote:
Hey Funny_fuzz.. thats a piece of nice and easy understandable documentation.
Quote:
if you observe the post times, Funny_Fuzz hadn't submitted his nice tutorial when I clicked the reply button
Hahaha, never would have thought "that" would have got any compliments ;)
  • Vincent
  • Expert
  • Expert
  • User avatar
  • Posts: 721
  • Loc: Brisbane, Australia

Post 3+ Months Ago

Is there any way to use php to login to the apache .htaccess files instead of having that stupid box?

and please don't just say to check google because i just did...
  • Impel GD
  • Professor
  • Professor
  • Impel GD
  • Posts: 834
  • Loc: Cologne, Germany

Post 3+ Months Ago

Which stupid box are you referring to Vincent? The .htaccess file is simply a text file which you create yourself and upload to a directory in your webspace.
  • Tannu4u
  • Proficient
  • Proficient
  • User avatar
  • Posts: 480
  • Loc: India

Post 3+ Months Ago

.htaccess is used to get more control over the web pages, password-protect folders, etc

Its a very-2 important file.
  • Tannu4u
  • Proficient
  • Proficient
  • User avatar
  • Posts: 480
  • Loc: India

Post 3+ Months Ago

Funny_Fuzz

has given a very beautiful documentation for that, after his explation i think that it would be clear that what is .htaccess and for what purpose it is used.
  • Funny_Fuzz
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1517

Post 3+ Months Ago

Lol, another compliment. Thank you Tannu4u
  • Funny_Fuzz
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1517

Post 3+ Months Ago

Vincent, have you checked out php.net? I know there is something there that allows you to use PHP to login to a .htaccess protected folder, just that I found it rather hard to understand. It's far more advanced than where my skills go. But; if you're up for the challenge, good luck ;)
  • Vincent
  • Expert
  • Expert
  • User avatar
  • Posts: 721
  • Loc: Brisbane, Australia

Post 3+ Months Ago

Doing a little treasure hunt through my files, i've found a script that can detect the username of the server password

Code: [ Select ]
} else if ($authmethod == "server") {
  if (isset($HTTP_SERVER_VARS["PHP_AUTH_USER"])) {
   $username = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
  } else if (isset($HTTP_ENV_VARS["REMOTE_USER"])) {
   $username = $HTTP_ENV_VARS["REMOTE_USER"];
  }
  1. } else if ($authmethod == "server") {
  2.   if (isset($HTTP_SERVER_VARS["PHP_AUTH_USER"])) {
  3.    $username = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
  4.   } else if (isset($HTTP_ENV_VARS["REMOTE_USER"])) {
  5.    $username = $HTTP_ENV_VARS["REMOTE_USER"];
  6.   }


Though this only sees what the server has done the the $http_server_vars and the $http_env_vars variables... it doesn't change them.

if anyone knows where the information is in php.net, please post because all i've found is the session information.

Post Information

  • Total Posts in this topic: 13 posts
  • Users browsing this forum: No registered users and 98 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.