Basic Authentication with htaccess but without password file
Solution 1
It would not be that wise to have the users and passwords inside the .htaccess file (or the apache-config itself) for min. two main reasons.
See, the .htaccess lies inside a directory of your website. The password file should never lie there, because everyone could then download it and has a complete list of valid usernames. And can brute force their passwords offline.
Another reason could be that you could have a large number of users/groups for a BASIC auth protected website. You do not want to mix server config and authentication database.
Solution 2
You can absolutely use .htaccess to restrict access, but I don't know of any way to avoid creating an equivalent .htpasswd file if you want to control access via users and passwords, rather than whitelisted IP addresses or similar.
Now, you can create any number of .htpasswd files; so if you wanted a specific one for a specific directory, that would be easy to set up by creating the .htpasswd file using:
htpasswd /usr/local/etc/apache/.your_htpasswd_filename_here username_here
then specifying it using the "AuthUserFile" directive in your .htaccess file.
Related videos on Youtube
01 : 40
07 : 00
05 : 32
06 : 16
01 : 49
Admin
Updated on September 17, 2022Comments
-
Admin over 1 year
Can I use htaccess to restrict access to my site and specify the username/password within the .htaccess, so I don't have to worry about password files?
-
Mnebuerquo over 14 yearsApache should never let anyone download the .htaccess file, or you have problems. Normal httpd.conf has a directory match for all .htaccess files with deny all. How easy is it to get the .htaccess file from outside the machine? If you only need one user/password for a given path, it won't be hard to maintain. If the username is not a shell account to the machine then the web data it protects is the only risk if the .htaccess file is compromised.
