I want to password protect a page on my website. I have placed it and related files into a folder. Where do I place the .htaccess and .htpasswd files? I believe I have configured both files correctly and put them into the same folder. It does not work. I get server error messages and the page does not come up (let alone the password prompt.) When I remove the two files, the page comes up (at least.)

I don't think it matters where the .htpasswd file is, as long as your .htaccess file points to it via the AuthUserFile entry.

Yes, I would think so. Perhaps my server path to the file is incorrect. But, where do I place the .htaccess file itself? Do I place it in the folder that I want to protect? And are all pages in this folder then protected?

Yes, place the .htaccess file in the directory you want protected, and anything in that directory as well as sub-directories of it will be protected.

OK. I placed both files in the directory to be protected. I did not have quotes around the AuthName previously. Now the user/password box appears (a step forward no?) But the username/password does not give access. Perhaps my server path to the .htpasswd file incorrect. Or what else?

Make sure you are using the full SERVER side path, not the url path.

If you're unsure of what that is place the following lines in an shtml file and look for the line that reads SCRIPT_FILENAME=

<pre>
<!--#printenv -->
</pre>

Very nice. Yes, I did this and I DO have the correct server path. So the problem lies in the .htpasswd file itself?

Are you encrypting the password? If not, here's a site you can use: http://www.xs4all.nl/~remcovz/htpasswd.html

Thank you, I will attempt to encrypt when I get two simple user/passwords to work. What can I try? What could possibly be wrong?

Whoa!!!!! I went to the encryption site; I generated my two user/passwords and pasted them in the .htpasswd file. Success!! But why? I need to know why. Why wouldn't my original user:password in the .htpasswd file work? Incidently, the documentation link on the site produced an error. And the pasted text is HUGE. And...apparently my server path IS correct.

The authentication program is taking the input password and encrypting it, then comparing that value to the password value in the .htpasswd file. Therefore, the passwords in .htpasswd have to already be encrypted. This is so that if some unauthorized person manages to view your .htpasswd file, they still won't know what the passwords are -- unless they try some brute-force trial-and-error method until they find a match, which you can make much more difficult by using strong passwords (upper and lower case plus numbers and special characters).

Let me get this straight ... the program that gathers the input from the user/password box which is provided by the Apache server is in cohoots with the password generator program that you sent? How is it that both programs are using the same encryption algorithm?

The websites I visited on this subject did not suggest that the passwords in the file HAD to be encrypted.


And... why doesn't this blink for me?
<p>Schrödinger's cat is <span style="text-decoration: blink">not</span> dead.</p>

Let me get this straight ... the program that gathers the input from the user/password box which is provided by the Apache server is in cohoots with the password generator program that you sent? How is it that both programs are using the same encryption algorithm?

Yes, they're using the same hashing algorithm. (I believe by default it's an Apache-specific version of MD5, though other options are available.)

The websites I visited on this subject did not suggest that the passwords in the file HAD to be encrypted.


And... why doesn't this blink for me?
<p>Schrödinger's cat is <span style="text-decoration: blink">not</span> dead.</p>
Not all browsers support it.

Thank you NogDog ... my problem is solved.

One final remark: I must retract this statement ...

The websites I visited on this subject did not suggest that the passwords in the file HAD to be encrypted.

In re-reading the material, it says exactly that, but in my defense, it is subtle. To quote, "...place the username and password (which is encrypted) for those whom you want to have access blah blah..." I just assumed I could deal with the encryption later.

I'm off to the HTML forum for another another stupid question. See you there?