Password Protect a Directory

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Supremezzy
Forum Newbie
Posts: 8
Joined: Thu Jan 26, 2012 1:32 pm

Password Protect a Directory

Post by Supremezzy »

Hey, i need help with something. I recently got a website together and have it so when you put /admin on the domain it will take you to the admin panel.
e.g www.yourdomain.com
www.yourdomain.com/admin

what i need help with is protect the /admin directory, so that you can only access it with a username and password.

It would be great if i can get help with this.

Thanks
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Password Protect a Directory

Post by Celauran »

Check for the existence of some session variable. If it's not there, present a login form. From here you can query a database, or just store a precomputed hash in a config file (obviously not very secure). If the credentials match, set aforementioned session variable and forward the user.
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: Password Protect a Directory

Post by rhecker »

The simplest way to protect a directory is by using the apache htpasswd. There are many tutorials on the web about how to set this up.

Sessions, which Celauran described, are more versitle and if set up correctly can be very secure.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Password Protect a Directory

Post by twinedev »

Some possibilities, from easiest to most difficult:

If you have cPanel

Log into your cPanel, and under "Security" choose "Password Protect Directories"
It may pop up a dialog to choose which domain root, if you have just one domain mapped out, click OK
You will see a a treeview of your site, click on the directory name you want to protect. (in your case, "admin")

Mark the check box for "Password protect this directory", and below that give it some name (it will show up in the browsers password prompt).
Click SAVE. (then on confirmation page, click "Go Back")

In the bottom half, create a user and password. (there is even a secure password generator) Click Add/Modify User
You will get a confirmation page with the username and password, if you need to add more, click "Go Back"

Now on the editor page, you also have a list of users at the bottom, you can delete the user. As it says, if you want to change the password, just re-add it like you did the first time.

That simple! it takes care of the files for you!

No cPanel, and you don't have access to SSH (or you don't wanna mess with it)

Use the tools at Dynamic Drive: http://tools.dynamicdrive.com/password/

They have decent enough instructions there, so I'm not going to repeat them here.

You have SSH access and want to get your "hands dirty"

Change to the directory you want to protect.
Add an .htaccess file (or add to one that is there already):

Code: Select all

AuthType Basic
AuthName "Administration Area"
AuthUserFile "/path/to/public_html/admin/.htpasswd"
require valid-user
"AuthName" can be what you want, it will show up in the login prompt for the browser
Make sure you use your actual path in front of .htpasswd.

While in that directory, issue the following command which will create the password file called .htpasswd and add the user myuser:

Code: Select all

htpasswd -c .htpasswd myuser
After you hit enter, you will be prompted to enter the password twice.
From then on out, now that the file .htpassword was created, you leave off the -c portion of the line (else it will create a new file wiping out any names already in it).
To change the password, just do steps like you are adding a new user. It will overwrite the old one with the new.
To delete a user, you have to delete the line from the file. Use something line nano to edit the file:

Code: Select all

nano .htpassword
here is what it looks like on one of my dev domains:

Code: Select all

greg:$apr1$cJ84SvPC$ovs4ahB5fqFIXzni8KKJq.
kentpd:$apr1$yKnDRwcg$Mz3urO4eOCegdU4te33DH/
In nano, just put the cursor somewhere on the line that has the user to remove, and press CTRL-K (if you accidently did the wrong one, immediately do CTRL-U to paste the deleted line).
When done, do CTRL-X to quit and save it. You will get prompted "Save Modified Buffer", hit Y to save it, N if you want to just exit.
When you hit Y, it will prompt you for the name of the file to save as, defaulting to the one you opened, so just press ENTER to save back as same file
Note, if you need to, you are safe to change the username in this file (everything UP to colon), I would suggest keep it simple lowercase names.

Anyhow that is it. Your directory should be protected now.

So, now that you have the directory protected, what if you want to give your "master" user special priveleges? Some think that this is where you need to use a programmed login and store sessions... But, PHP has access to the Username AND password that you entered, from a var_dump of $_SERVER:

Code: Select all

  ["PHP_AUTH_PW"]=>
  string(11) "tempPass12#"
  ["PHP_AUTH_USER"]=>
  string(4) "greg"
If you are uncomfortable with making a secure login system, you could then use these to validate the user against a database with permissions.

Hope this helps.

-Greg

PS, if you are looking for a random password generator, here is one I use (i like it has the option to not use similar characters, (ex i l 1 o 0 ) and can tell it to make a bunch at once if you are setting up multiple people at once http://www.pctools.com/guides/password/
Post Reply