CODEWITHSUNDEEP
.htaccessauthenticationpassword-protection.htpasswd
testing
testing

Reputation: 20279

htaccess doesn't work - always wrong password

I am trying to password protect a directory, and have two files in the directory which should password protected it:

HTACCESS:

###Contents of .htaccess:
AuthUserFile /var/www/html/path/to/my/directory/.htpasswd
AuthName "Protected Files"
AuthType Basic
Require user admin

HTPASSWD:

###Contents of .htpasswd
admin:oxRHPuqwKiANY

The password is also admin, but no matter what password I try, it is always wrong. It immediately asks for the password again!

What is wrong with this configuration?

Upvotes: 30

Views: 62498

Answers (11)

devklepacki
devklepacki

Reputation: 74

For me there were multiple issues and I spent several hours trying to get this to work.

  1. To my surprise I had to use relative path for AuthUserFile like so:
AuthUserFile ../.htpasswd # f.ex. one directory up
  1. The structure of my .htaccess had to be different, I have no idea why as I didn's see this anywhere written like this:
AuthType Basic
AuthName "Login"
AuthUserFile ./.htpasswd # current directory

<Files "wp-login.php">
  Require valid-user
</Files>
  1. Had to do file permission 644 for the .htpasswd file
  2. It only worked when the .htpasswd was encrypted with crypt() algorithm

Upvotes: 0

user669677
user669677

Reputation:

I had the same issue.

  • The password should have specified encryption:

CRYPT_STD_DES - Standard DES-based hash with a two character salt from the alphabet "./0-9A-Za-z".

function standard_salt(){
$a = array_merge(range(0,9),range('a','z'),range('A','Z'));
return (string) $a[rand(0,count($a)-1)].$a[rand(0,count($a)-1)];
}
    
echo(crypt("admin",standard_salt()));

example:

admin:dsbU.we73eauE

Online javascript encripter is also available.

If it still does not work, take care of these:

  • use unix linebreaks
  • use correct AuthUserFile path, You can get it using: echo $_SERVER['DOCUMENT_ROOT'];
  • set file readable: chmod(".htpasswd",0644);

Upvotes: 1

Denis
Denis

Reputation: 49

Also, if you are scatterbrained like me, make sure you have some content to display, like some index.html file in the directory. Otherwise, it will look like authentication failed, while it's just that the server is not allowed to display the directory listing.

Upvotes: 0

Kagan Kongar
Kagan Kongar

Reputation: 81

use 

htpasswd -b .htpasswd admin admin

to use the password from command line.

Upvotes: 0

sidarcy
sidarcy

Reputation: 3008

I had a similar issue using MAMP and it was because i was creating .htpasswd by hand. Solution was to use htpasswd command in terminal:

htpasswd -bc .htpasswd someuser somepass

this created the .htpasswd file which worked fine with my .htaccess file which looked like so:

AuthType Basic
AuthName "This site is in alpha and requires a password."
AuthUserFile "/Applications/MAMP/htdocs/mywebsite/.htpasswd"
require valid-user

Upvotes: 26

Brad Parks
Brad Parks

Reputation: 71961

There's a small chance you're seeing password protection from a parent folder, not the folder you expect.

If your /etc/apache2/sites-enabled folder has only one file in it, check to see if it has a section for your sites folder, something like:

<Directory /var/www/mysite.com>
   AllowOverride All
</Directory>

otherwise, if it has a file for your site name, like:

/etc/apache/sites-enabled/YOUR_SITE_NAME_HERE.conf

edit that file instead, and make sure that there's an 

AllowOverride All

in there. That's the important part! If you want to only allow the minimum, specify:

AllowOverride AuthConfig

instead.

Upvotes: 6

Dakusan
Dakusan

Reputation: 6691

My problem was that I did not give an absolute path for the AuthFile line.

Upvotes: 3

Oleg
Oleg

Reputation: 1

I spent about 2 hours to resolve the same issue. But problem was in nginx. I have nginx as front web server and there was a line for proxy configuration:

proxy_set_header Authorization "";

It overrides Authorization field and apache don't receive login and password typed in.

I just commented out this line and it worked.

Upvotes: 0

Betty
Betty

Reputation: 572

I had the same problem. Turned out the issue was this line:

Require user admin

If you specify admin you can only access the directory with admin even if you have other users in the .htpasswd file.

If you want to specify the users in the .htpasswd file, you can change the line to:

Require valid-user

Upvotes: 4

tkotisis
tkotisis

Reputation: 3552

Also, make sure your password file is ANSI-encoded.

Upvotes: 0

Mike
Mike

Reputation: 847

This problem is almost always because apache cannot read the .htpasswd file. There are four causes that come to mind:

  1. it isn't parsing the path correctly... how did you create the .htaccess file? Does it have unix line endings (versus say using Notepad in Windows?

  2. is the path correct? What does the following command (with the path update) show? ls -l /var/www/html/path/to/my/directory/.htpasswd

  3. does the web server have access to the file? chmod 644 and see if that solves the problem.

  4. it can't parse the .htpasswd file: in this case, you are using the crypt() encryption so it does seem you created the file on Linux and it is probably fine. Some types of encryption only work on certain platforms, if in doubt try switching to MD5.

You may find helpful messages in the Apache error log.

My money is on #3.

Upvotes: 31

Related Questions