Authentication: Secure Single Files

Basic Authentication

Authentication - Single Files

There are occasions when you would like to password protect one or two files. Using basic authentication makes this relatively easy.

This page provides a few examples.

Preparation

Add name/password pairs to your password file, I currently have the following:

Edit file: UniServer\udrive\htpasswd\www\.htpasswd add new users as required

root:root
John:john123
Dave Smith:dave123
Mike:mike123
Jane:jane123
Dawn:dawn123
Ruth Smith:ruth123

Note 1: Delete the first entry root:root (everyone knows this) I use it for testing

Top

Basic format

To protect a file you require the following blocks in file UniServer\udrive\www\.htaccess

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
AuthGroupFile /htpasswd/www/.htgroup

Set-up Basic Authentication
This is the first block it sets-up basic Authentication
If you are not using groups delete the last line.
You do not then require a groups file.

<Files {file name}>
 Require {valid-user or user and or group}
</Files>

Files block for each file you wish to protect
Specify a file. Note: Its name must be unique (see image example test as to why).
Require functions in the same way as covered for folders

Top

Example 1

Create the following test pages:

Preparation

  • Create a new text file named demo1.html in folder UniServer\udrive\www with the following content
<html><head><title>Demo 1</title></head>
<body>
<h1>Demo 1</h1>
</body></html>
  • Create a new sub-folder in UniServer\udrive\www named demo2
  • Copy file UniServer\udrive\www\images\logo.jpg to folder UniServer\udrive\www\demo2
  • Create a new text file named demo2.html in folder UniServer\udrive\www\demo2 with the following content
<html><head><title>Demo 2</title></head>
<body>
<h1>Demo 2</h1>
</body></html>

The above provides two html files and one image to protect.

Define Files block

Page demo1.html

<Files demo1.html>
 Require user root
</Files>

Name of file to protect
User root allowed access

Page demo2.html

<Files demo2.html>
 Require user "Dave Smith" 
</Files>

Name of file to protect
User Dave Smith allowed access. The name contains a space hence must be enclosed in quotes

Image logo.jpg

<Files logo.jpg>
 Require user John Dawn
</Files>

Name of file to protect
Two users John and Dawn are allowed to access this image

Top

Edit .htaccess

Add the following blocks to file UniServer\udrive\www\.htaccess

The complete authentication block should look like this (delete any extra linesin the block)

#--
# Activate this to use the Private Server Feature!
#--
# To lock server, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd

<Files demo1.html>
 Require user root
</Files>

<Files demo2.html>
 Require user "Dave Smith"
</Files>

<Files logo.jpg>
 Require user John Dawn 
</Files>

Top

Tests

Test 1

  • Run servers
  • Restart browser
  • Type http://localhost/index.php into browser - You will be challenge for a name and password. - click cancel
  • Type http://localhost:81/demo2/logo.jpg again you will be challenge for a name and password.
  • Enter either John john123 or Dawn dawn123 to view the image

Top

Undesirable side-effect

Generally speaking the location of a fie makes it unique edit the file in one location and the other version in a different location is not changed.

However the .htaccess file does not make this distinction, being placed in the web-root it is protecting the current folder and all sub-folders. Any file that matches the name set in the Files directive is protected by the Require line.

This can cause some undesirable side-effects for example if you are hosting many sites with different logos with the name logo.jpg all logo.jpg are protected. Hence a user will be prompted for a name and password before the logo can be displayed.

Top

Solution

Solution is simple create a sub-folder and copy all unique files to be protected into it. Create a new .htaacess and place all associated directives in this file. Remove the directives from the web-root .htaccess file.

Using our example files

  • Copy .htaccess from www into folder demo2
  • Move file demo1.html to folder demo2
  • Remove this section from file www\.htaccess
#--
# Activate this to use the Private Server Feature!
#--
# To lock server, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd

<Files demo1.html>
 Require user root
</Files>

<Files demo2.html>
 Require user "Dave Smith"
</Files>

<Files logo.jpg>
 Require user John Dawn 
</Files>
  • Delete everything in file www\demo2\.htaccess with the exception of this block:
AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd

<Files demo1.html>
 Require user root
</Files>

<Files demo2.html>
 Require user "Dave Smith"
</Files>

<Files logo.jpg>
 Require user John Dawn 
</Files>

Having isolated the files effectively makes them unique and can be targeted specifically

Top

Test 2

Run the following tests:

  • Run servers
  • Restart browser
  • Type http://localhost/index.php into browser - You will not be challenge for a name and password.
  • Type http://localhost/demo2/logo.jpg You will be challenge for a name and password.
    • Enter either John john123 or Dawn dawn123 to view the image
  • Type http://localhost/demo1.html When challenged enter root root
  • Type http://localhost/demo2/demo2.html When challenged enter Dave Smith dave123

We are not protecting the folder but individual files.

Note: If you with to repeat the tests remember to restart your browser.

Top

Summary

Protecting individual files is easy each new file requiring only a small section of code.

If running an Intranet you probably don’t need to use encryption however if the content is sensitive data it needs to be secured.

On the next page I cover single file encryption.

Top


  Ric