Hope this is the right place for this question. I have created a .htaccess in the admin folder of my website, so that the correct username and password has to be entered before access is granted. However, I have to enter the username and password 9 or 10 times before it gets accepted. I am definitely entering it correctly, but it just doesn’t seem to get accepted straight away for some reason. The file is as follows:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) [noparse]https://www.domain.co.uk/store/admin/[/noparse] [R]
AuthName “Restricted Area”
AuthType Basic
AuthUserFile /home/domain/htpasswdlocation/.htpasswd
AuthGroupFile /dev/null
require valid-user
Is there something wrong with this code? Sorry, new to all this website design, and cant quite figure out some of these things yet!
I use cPanel’s Protect Directory function to protect directories. It’s just too easy to setup on a production server and setting up a password protection on my test server would be an annoyance.
Please use the [noparse]
...
[/noparse] wrapper for including code in your posts.
The red off is because {HTTPS} has two values, on and . Yes, that was a {null}. Because of this, you’ll either have to change to say !on or use the {SERVER_PORT} to match ^80$ (not SSL, the equivalent of off).
The blue $1 is taking advantage of the atom created by the regex to retain the requested URI and not change to the DirectoryIndex in store/admin (where this .htaccess is located).
The downside to the way that you’ve attempted is that the password file must be read for every request to admin.
ah!! now I can see what you are asking.
Is this a known, single server, a cloud, a shared environment?
I tried that on a multi-server environment before, and each box give its credential/login, but every time I request a page I might not be given the same box to authenticate it. Was forced to login until I had hit up nearly every box. Had to move the login to database powered session.
If you know the box is static, Firefox plus some tools will help out. Live HTTP Headers, View Cookies.
You can watch the live header POST data, receive cookie, right click on the page and select info to get the list of cookies and headers specific to the page. They will tell you what is going on. For instance, if its a 407, 404 causing you to re-login etc.
Hi, and thanks for all the replies. I have been doing some reading on this Rewrite cond rule, but am still confused as to what has been said above. Sorry, but very new to all this, and I have never done web design before! Thought it would be easier to learn whole doing it, rather than just read about it!
Anyway, what I am trying to do is two things. First, I want to make sure that anyone who access the domain.co.uk/Store/Admin folder needs to enter the correct password before they can gain access. Second, I want to force the domain.co.uk/Store/Admin area to always load as HTTPS rather than HTTP.
My website is on a shared hosting package with a website hosting company, so not sure how much I can change settings-wise. One thing I cant do is use the Protect Directories feature in cPanel, as I get a message about Frontpage extensions when I try and this always stops me doing it.
Having read all the replies above, I am still confused as to what I should do. Should I change the .htaccess file to the following:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/domain/htpasswdlocation/.htpasswd
AuthGroupFile /dev/null
require valid-user
Also, really sorry but not sure what you mean by ‘Is it a static box’. If you can tell me what that means I can find out. I am so lame at all this!!
Assuming that you can add the correctly encrypted password to .htpasswd, it seems okay. However, using a control panel (don’t you have a control panel available?) makes it trivial as they take care of all the nitty-gritty details of the encryption, location of the .htpasswd and setting the valid-user.
Static box, the old, traditional way of web hosting where 1 single computer is configured to host or run the website.
The alternatives are clustered hosting, distributed, or cloud. Where multiple computers could be running the website or service.
When using a server level login, .htaccess, apache, php-pear, they all store a credential on that 1 computer alone, the local hard drive. That login only works if the website goes to the same computer every time.
I have checked with my hosting company, and my website is resolving to one server.
Also, I have now changed the .htaccess to the following:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]
AuthName “Restricted Area”
AuthType Basic
AuthUserFile /home/domain/protectstore/.htpasswd
AuthGroupFile /dev/null
require valid-user
But I am still having to enter username and password multiple times. Do you have any other suggestions please? I cant use the cPanel to add a .htaccess, as I dont have access to do this with my hosting.
I think dklynn was suggesting you use the cPanel “Password Protect Directory” function to add the password protection, rather than trying to do it yourself via the .htaccess file. Does your hosting account not use cPanel?
The problem with creating your own htpasspw file is that you are required to create the encrypted passwords in a specific manner (with an encryption tool?). If you’re not doing that, your homemade password protection will not work.
Me, I’m lazy enough to use cPanel’s “Password Protect Directories” function … with great success.