Protecting folders with .htaccess

Question

I met some trouble with my website (www.barbarian-strongman28.fr).

I set some url rewriting using this .htaccess which is in the main public folder of my server (called www)

.htaccess:

Options +FollowSymlinks
RewriteEngine On 
ErrorDocument 404 /index.php?p=404
# Pages with the PHP p= parameter
RewriteRule ^([^/]*)/([^/]*)\.html$ /index.php?p=$1&id=$2 [L]
RewriteRule ^([^/]*)\.html$ /index.php?p=$1 [L]

I have a folder called admin that I want to protect.

So I set this .htaccess

AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /htdocs/admin/.htpasswd 
AuthGroupFile /dev/null 
require valid-user

I've uploaded this file in the folder that I want to protect

The trouble I have is that the website also require an authentification even if I am not in the directory protected.

Any kind of help will be much appreciated.

Answer 1

I'm guessing your .htaccess file is in the main directory of your server. That's your problem:

"Also note that if you place this htaccess file in your root directory, it will password protect your entire site, which probably isn't your exact goal."
(from http://www.javascriptkit.com/howto/htaccess3.shtml)

So the solution is simple: put the .htaccess file in the directory you want to protect. You should also make sure of a few things (though they seem ok in your script):

1. That the paths to all the files are server paths not URLs (you've done this);
2. That the .htpasswd file is in a secure location
3. That the .htpasswd file is in the format username:password, with the password encoded - here's a tool for creating .htpasswd files if you need it.

Hope this helps.