Windows, Apache and .htaccess authentication

It is quite sim­ple to use .htac­cess on Win­dows. Sim­ple instruc­tions with screen­shots here.

Enabling pass­word authen­ti­ca­tion on Win­dows using Apache (and here's a link if you wish to RTFM) given the knowl­edge that you are busy folks so these are merely quick instruc­tions to get it work­ing on Windows.

Some things to know beforehand:

  1. Path to your Apache server (e.g., c:apache)
  2. Path to your CONF folder (e.g., c:apacheconf)
  3. Path to your DOCROOT folder (e.g., c:apachehtdocs)
  4. Path to the folder you wish to password-protect. In my
    exam­ple, lets take a folder called "secure", so the path to this
    would be "c:apachehtdocssecure". (It could be ABOVE the htdocs
    folder as well, FYI).

Ok, let the show begin:

  1. Open up your httpd.conf. (On my machine this is at
  2. Look for the word called "Access­File­Name". I believe there
    should be a line like this:

    AccessFileName .htaccess

  3. If you use Win­dows 2000 or above, then move on to step 4
    (because you can cre­ate files like ".htac­cess" on your sys­tem which
    do not have any­thing before the dot in the file­name. If not, then
    change this line to the following:

    AccessFileName ht.acl .htaccess
  4. Then, we need to add the direc­tory to the con­fig­u­ra­tion.
    Instead of rat­tling on about how to do it, here is a

    alt="This is what the HTTPD.CONF should look like. " />

    Please note that "/apache" in the direc­tory path means that it
    starts from the root drive on my machine ("c:"). Adjust

  5. Our httpd.conf is done. Now we need to cre­ate the pass­word
    file. Open up a DOS prompt and go to the apache's BIN direc­tory. In
    my case, it is "c:apachebin". Any­way, again, I think a screen­shot
    is more helpful.

    alt="Instructions for cre­at­ing the pass­word file" />

  6. Now, we need to cre­ate the HTACCESS file itself. As per point 3
    above, either cre­ate a ".htac­cess" or a "ht.acl", whichever suits
    you fine. I will keep my exam­ple to "ht.acl" because this works on
    ALL win­dows sys­tems if they use Apache 1.12…or above. Here is
    what this looks like.


  7. Save the above file into your SECURE folder because it
    rep­re­sents only that folder context.

READY TO ROLL! (I restarted my Apache, just in case). Here is
what hap­pens when I try to access my folder from the browser:

  • mark

    how to enable url rewrit­ing in win­dows? thank you so much for this tuto­r­ial but htac­cess on win­dows is not very use­ful to me unless i can also use is to mir­ror my rewrit­ing on my pro­duc­tion server which uses freebsd. thanks for any ideas.

  • snip­tools

    Mark, did you enable your rewrite mod­ule in your httpd.conf? Uncom­ment this line if it exists:

    Load­Mod­ule rewrite_module modules/

    Or just write it if it doesn't already exist. That's it.

  • Xcape

    you need to put " " around the path to the pass­word file, sec­tion

  • snip­tools

    Thanks Xcape. It works in the above exam­ple as there are no spaces in the path, but yes, if we had paths like this:

    c:\program files\apache group.…

    ..then quotes are use­ful! Thanks for the tip.

  • John

    "If you use Win­dows 2000 or above, then move on to step 4 (because you can cre­ate files like ".htac­cess" on your sys­tem which do not have any­thing before the dot in the filename."

    You sure? I can't cre­ate a file named .htac­cess in WIN2K

  • riad

    the tuto­r­ial is very nice, but there is some­thing i did not under­stand !! as soon as i made the htac­cess pro­ce­dure , my apche server become very HEAVY !! is that nor­mal ??
    thanks for answering

  • Nick­o­las

    John> Win­dows 2000 (I'm using Advanced Server on my server) will not allow the cre­ation of .htac­cess files in the explorer, but if you save a notepad fiel as .htac­cess, and rememe­ber to set the file type as "All types", it'll save the .htac­cess file all well and good. And then copy­ing and past­ing the file works, as well as edit­ing it's content.

  • Stu­art

    First a very good tuto­r­ial, the best I have found on this subject.

    A few com­ments. when cre­at­ing a new file on win­dows XP (right click,new/text_file then rename to '.htac­cess') I get a sys­tem error 'You must type a file­name'. Then when I rename it to ht.acl my sys­tem thinks the file is a 'Auto­Cor­rect List File' which might or might not cause prob­lems!! I renamed it to '' :)
    Then I added c: to the change in httpd.conf file as I assume this may be needed.??

    I restarted apache and tested my newly secured folder.… I got the user/pass prompt :) but my user­name and pass­word failed :( — I have recre­ated my pass­word file sev­eral times to check the spelling etc but the this has not helped :(

    If any­one has any sug­ges­tions please email me, or post here.


  • snip­tools

    Hi Stu­art,

    Thanks for the kind words. You're lucky you're on Win XP because I bet it works.

    (1) For cre­at­ing .htac­cess, don't cre­ate it inside Explorer. Open Notepad, type some­thing and SAVE AS ".htac­cess" and choose the file type as "ALL FILES". Works with­out a croak.

    (2) For Apache and your pass­word file in gen­eral, I would delete every­thing and start afresh instead or renam­ing files etc. Just fol­low the instruc­tions here from step 1. I cre­ated a new test secure folder and it works imme­di­ately. FYI, I tested this on my Win XP box which has Apache2 run­ning. (Could test it for you on Win2K and Win98 as well).

    Hope this helps! –Shanx

  • Stu­art

    Thanks Shanx,

    I started again (removed the pre­vi­ous files etc) and it worked :)

    Thanks agian,

  • Mike

    I'm using winXP with apache server I fol­lowed all the direc­tions above but when I send my browser to the spe­cific file, it says for­bid­den you don't have access to /secure/ on this server. If I put a link from another page to it, it goes straight in with­out the ask­ing about pass­word or user­name, any ideas.

    Thank you

  • snip­tools

    You must have some other set­tings in your HTACCESS that may be con­flict­ing with these secu­rity set­tings. Can you per­haps share your HTACCESS file? You can email me per­son­ally if you prefer.

  • topquark

    So has any­one been able to use win­dows authen­ti­ca­tion with Apache 1.3.x?

  • Alok

    Yes, I have. Are you hav­ing prob­lems with it?

  • Will

    If you cant cre­ate a .htacess file in win­dows you can use dos.

    1) Cre­ate a sim­ple htaacess file in notepad just save it as "htacess" no "."
    2) Run -> Cmd
    3) No we are in dos/command promp­ty­ness
    ren htac­cess .htaccess

  • immy

    Hi guys,

    I'm run­ning xp with apache ver­sion 2.0.47. I have cre­ated the .htac­cess file and left the these lines in in my conf file

    Order allow,deny
    Deny from all

    When i try to access the secure direc­tory it lest me in with out any prompt for a pass­word plus i dont see the .htac­cess file listed when i get in through browser

    can any­one advise me what i should do to get it to work


  • Chris Tra­verse

    i fol­lowed the instruc­tions to the let­ter (im run­ning apache/1.3.29 on win­dows 2000). The first time i did it i just got an inter­nal server error mes­sage. So i tried again and this time it justlets me access the files, no ques­tion of putting a pass­word or user­name in.. Any­one else had these problems ?

  • PatrikRoy

    Thanks for all, I tested it with Apache 2 on Win­dows 2000.
    Works fine :)

  • snip­tools

    Chris Tra­verse, you need to tweak your HTACCESS file, most likely. If you still haven't got it work­ing, please write to me per­son­ally with a sam­ple of your HTACCESS file attached. HTH, Shanx

  • foxer

    This didn't work just like this, i had to put:

    AllowOver­ride All
    Options None
    Order deny,allow

    instead just "/apache/htdocs/secure"

    run­ning apache 1.3.27

  • jc

    Excel­lent tutorial

  • John p.

    Won­der­ful tutorial.

    I have noticed many tuto­ri­als out there giv­ing code and so forth, but none men­tioned directives.

    So, am I to under­stand that [nc] or [r,l] is a direc­tive?
    If so, is there a spe­cific .htac­cess man­ual for this?

  • H Rage

    When cre­at­ing a .access file on win­dows systems:

    Type one in notepad
    Save As


    It is impor­tant to remem­ber the quotes; they're the things pre­vent­ing the .txt exten­sion and the file­name alert when you only use an extension.

  • Nick


    I am run­ning win­dows 2003 and apache 2. I fol­lowed your instruc­tions, but if i go to secured area it doesn't ask me for login (#7)

    here is my con­fig please help as I need to bring my site live ASAP. thanks

    Shashank's Edit:
    Your .htac­cess file is here, due to the length

  • inge­nious

    Thank you– works like a charm with my apache 2 server

  • snip­tools

    Nick, Thanks for the htac­cess file, but it was huge and made this page over­flow­ing so I have moved it into a sep­a­rate file on this server. As for the prob­lem, where is your "Direc­tory" direc­tive? Pls read the instruc­tions and fol­low them to the let­ter. Once it works, as in the exam­ple on this page, then try for your own paths etc.

  • pop­eye

    hi all.

    nice tuto­r­ial.

    I was won­der­ing. Is it pos­si­ble if you already set up a pro­tected folder to add users via a sort of web­based script.,so dont have to physicly be at the server, but can remotely add an user account


  • snip­tools

    Hi pop­eye, you can swing by this cool tool: ..this is CGI, but you can get an idea and imple­ment this in what­ever lan­guage you wish..HTH, Shanx

  • Tony

    I tried in W2k, thx it works but I can find a log off fea­ture — I can access the "secure" direc­tory again even I closed the IE after access­ing it!

    Any sug­ges­tion on mak­ing a log off session?

  • PyroL­una

    I got another trick to make win­dows accept file­name .htac­ces
    I have acces to a web­di­rec­tory and when I rename my file over­there, it's no prob­lem, so then I copy it back to my local pro­tected direc­tory et voila, it works! :)

  • T_R_J

    Just wanted to thank you for hav­ing the answer I needed. Keep up the great work.

  • jdang

    this is a nice tuto­r­ial but im hav­ing prob­lems. i want to pro­tect a direc­tor called "S04" in a direc­tory called "jdang" in my htdocs. my apache is located in "c:\Program Files\Apache Group\Apache2", so here is the rel­e­vant part of my httpd.conf file:

    Access­File­Name .htaccess

    AllowOver­ride All
    Options None
    Order deny,allow

    here is my .htac­cess file (and yes, i prop­erly named it as a .htacess in win­dows XP)

    AuthUser­File "/Program Files/Apache Group/Apache2/passwd/passwords.txt"
    Auth­Name "S04"
    AuthType Basic

    require valid-user

    My pass­word file is located in "C:\Program Files\Apache Group\Apache2\passwd\passwords.txt"

    When i test it, i go to "" I don't see my folder "S04". So, I man­u­all type in "" and it asks me for my user­name and pass­word, and it accepts the user­name and pass­word, but it comes up with this error:


    You don't have per­mis­sion to access /jdang/S04/ on this server.

    I know my user­name and pass­word is cor­rect because if i type in an incor­rect com­bi­na­tion it will just prompt me for my user­name and pass­word again.

    Sorry for the really long post, but could any­one help me?

  • gate­way

    Thanx very much for this tuto­r­ial!
    I search around day and no one could help me!
    Now it works.…

  • Bran­don

    I'm hav­ing prob­lems wiht this tuto­r­ial. Every­time I keep try­ing to access my folder that I set for authen­ti­ca­tion, it gives me a forbbend mes­sage. Here is my .htac­cess file:

    AuthUser­File "C:/Program Files/Apache Group/Apache/bin/passwd.txt"
    Auth­Name "This is my secret area"
    AuthType Basic

    require user beetle

    Can some one help. Thank you.

  • esophal

    When I upload .htac­cess or ht.acc to any direc­tory on my server, my entire web­site got effected.

    eg. when I cre­ate direc­tory called secure, even my main / request for login.

    Please help…

  • snip­tools

    Hi guys,

    The instruc­tions in the tuto­r­ial above work for any Apache instal­la­tion on any ver­sion of Windows.

    If you are hav­ing prob­lems even after mak­ing SURE that you have fol­lowed the instruc­tions above, then the only other pos­si­bil­ity is that you have some­thing in your htac­cess file that con­flicts with the new instructions.

    In this case, the only way out is for you to send me (pri­vately) your .htac­cess file and let me look at it for pos­si­ble anomalies.


  • cap'n

    I'm using Apache 2.0.49 on Win2k
    I'm using a .php script over Apache and set the
    $z_apache_auth = true; # Append Apache user:password to playlist urls.
    This is work­ing fine for winamp… but my linux friends with xmms aren't get­ting in..

    dealt with this scenario?

  • Olmen

    Why doesn't the secure folder list in the root folder of the server.

    E.g. the folder /secure does not show up at all, you have to type in the address manually…

  • snip­tools

    Hi Olmen, I am not sure I under­stand the ques­tion. What is your path structure?

  • Jesse

    I don't know what the prob­lem is.…I fol­lowed your instruc­tions exactly, but when i go to the direc­tory that is sup­posed to be pro­tected, I keep getting:

    Inter­nal Server Error
    The server encoun­tered an inter­nal error or mis­con­fig­u­ra­tion and was unable to com­plete your request.

    Please con­tact the server admin­is­tra­tor, and inform them of the time the error occurred, and any­thing you might have done that may have caused the error.

    More infor­ma­tion about this error may be avail­able in the server error log.

    — — —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  — –

    Apache/2.0.49 (Win32) Server at Port 80

    my doc­root is C:\webroot, Apache is under C:\web servers\apache2\. If there's any­thing else I should be doing, please tell me. Thanks in advance!

  • Punk

    If a path in the .htac­cess file has spaces in it, you must enclose it (the path) in quotes.


  • kaushik


    the tut is really nice

    my php­myad­min path is c:/phpdev3/www/html/phpMyAdmin

    my doc­root folder is c:/phpdev3/www/html

    my apache BIN folder path is c:/phpdev3/apache/bin

    I want to pre­vent acceess to the php­MyAd­min folder so i cre­ated a passwd.txt file as required in BIN folder of Apache.…

    I added the nece­sary com­ments to the httpd.conf file in the CONF direc­tory of Apache.….

    & i cre­ated a .htac­cess file in the php­MyAd­min folder with the nec­es­sary contents.…..

    but when I try to access php­Myad­min folder, it tells me the fol­low­ing message

    You don't have per­mis­sion to access /phpmyadmin/ on this server.
    — —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  — –
    Apache/1.3.19 Server at bal­last Port 80

    it does NOT ask me for the user­name & the paassword

  • snip­tools


    Can you share the sec­tion of your httpd.conf? I believe your path there may be wrong, or it may be con­flict­ing with another direc­tive in your file.


  • evil

    ok ive got it to ask me for a user and pass hurrah :)

    but i then get the mes­sage For­bid­den
    You don't have per­mis­sion to access /secure/ on this server.

    what have i missed ?


  • revertzero

    This is a great tuto­r­ial, def­i­nitely the best I've seeen on the subject.

    Sim­i­larly to oth­ers I think I've got a con­flict­ing direc­tive as once I am pre­sented with the pop up box and I cor­rectly enter my login details I get the fol­low­ing mes­sage:
    You don't have per­mis­sion to access /si/ on this server.
    — —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  — –

    Apache/1.3.27 Server at local­host Port 80"

    My Apache access log states
    " — irfan [08/Jul/2004:12:20:20 +0200] "GET /si/ HTTP/1.0" 403 304"

    My Apache error log states
    "[Thu Jul 08 12:20:20 2004] [error] [client] Direc­tory index for­bid­den by rule: d:/home/www/si/"

    My ht:acl file reads:

    "AuthUser­File "c:/Program Files/EasyPHP1-7/apache/bin/passwd.txt"
    Auth­Name "Doc­u­men­ta­tion Area"
    AuthType Basic

    require valid-user

    Is this in con­trast with my httpd.conf file directives ?

    Doc­u­men­t­Root "D:/home/www"

    Options Fol­lowSym­Links Indexes
    AllowOver­ride All

    Options Indexes Fol­lowSym­Links Includes
    AllowOver­ride All
    Order allow,deny
    Allow from all

    AllowOver­ride All
    Options None
    Order deny,allow


    Thanks for point­ing me in the right direction

  • revertzero


    (IfMod­ule mod_dir.c)
    Direc­to­ryIn­dex index.html index.htm index.shtml index.php

    my index file had a .htm exten­sion and .htm wasn't listed in the above.

    sorry for all the mes­sages but at least you can now say that this tuto­r­ial is so great it even works on NT 😉


  • dstack

    Great tuto­r­ial! This helped me out of a jam this morn­ing. Nice work…

  • Chris

    Heres somthing a bit dif­fi­cult… i fol­lowed your tuto­r­ial like so and when i got to access the pro­tected direc­tory i get a 500 Inter­nal Server Error… here are the specs.

    Oper­at­ing Sys­tem: Win­dows XP Pro SP2
    Apache Server Ver­sion: 2.0.50

    httpd.conf file:

    ht.alc file:

    Any sug­ges­tions would help.…

  • Chris
  • Chris

    nev­er­mind.. i fixed it lol… Excel­lent tuto­r­ial btw..

  • Matt

    This guide is the by far the best I have encoun­tered. I have no prior Apache expe­ri­ence and this saved me big time.


  • elwyn

    This tuto­r­ial is good. But i have one ques­tion here.
    If my Apache is dif­fer­ent in a dif­fer­ent server with my web appli­ca­tions. How do i set the path for the in httpd.conf

    AllowOver­ride All

    Can any­one please help?
    Thank you.

  • Shu­mam

    # Based upon the NCSA server con­fig­u­ra­tion files orig­i­nally by Rob McCool.

    [trimmed due to size]

  • Shu­mam

    above is my httpd.conf.…..I'm using winXP with apache server I fol­lowed all the direc­tions above but when I send my browser to the spe­cific file, it says for­bid­den you don't have access to /secure/ on this server. If I put a link from another page to it, it goes straight in with­out the ask­ing about pass­word or user­name, any ideas.

  • jkue

    have you thought about a forum? it is hard read­ing such long posts (noth­ing against the per­sons), for me anyway.

    Please, post ONLY the rel­e­vant points in your solu­tions guys and gals. This makes it easy to eval­u­ate, the use­ful­ness and accu­racy, and also makes easy reading.

  • Shu­mam

    I am really sorry for any dis­rup­tion. If admin wants to take it off, no prob­lem. But if any body knows the prob­lem please do let me know. thanks

  • jkue

    Your prob­lem Shu­mam lies here (look at the arrows –>). You have given rights, but in the alias taken it away also. This should be cor­rected, either None or All.
    —— SNIP ——
    Doc­u­men­t­Root "/web tools/machine_reporter/"
    Access­File­Name ht.acl .htaccess

    AllowOver­ride All –> Allow All
    Options None
    Order deny,allow

    Alias /machine_reporter/ "C:/web tools/machine_reporter/"

    Options Mul­ti­Views
    AllowOver­ride None –> Allow None for the same folder.
    — — — SNIP — —  — -

     – Check your Error_Log file in "c:/web tools/logs". The answer is always in there.
     – try not to use spaces in the names of fold­ers ("web tools" should be "web_tools"), this is better.

    Notice I did not cor­rect it for you? I wanted you to get use to search­ing and cor­rect­ing errors(I pre­sume you are a Admin). Trust me, this is the best way, and incase it does­not work, you have a start where and how to look.

    I did not mean it like it sounded above, I apologise.

  • jkue

    Shu­mam for­get the crap from above(if that's not working)the error For­bid­den is because you do not have an index.html, index.php etc. file in the secure folder. Peo­ple, do y'all remem­ber this set­ting in your htconf file? –Indexes

    This means noone is allowed to browse the folder when there is no index file. So, cre­ate an index file in the secure folder, tada!!.

  • Shomam

    That works! thanks

  • Lars E

    Thanks for pro­vid­ing this great tuto­r­ial. Its so much eas­ier fol­low­ing exam­ples than just read­ing about fea­tures with­out see­ing them applied in a con­text! Good on you mate;)

  • Dave

    I am not prompted for any file names can you look at this and see what I did wrong. thanks

    Doc­u­men­t­Root "D:/Program Files/Apache Group/Apache2/htdocs"

    Options Fol­lowSym­Links
    AllowOver­ride None

    Options Indexes Fol­lowSym­Links
    AllowOver­ride all
    Order allow,deny
    Allow from all

    UserDir "My Documents/My Website"

    AllowOver­ride ALL
    Options None
    Order deny,allow

    AllowOver­ride ALL
    Options None
    Order deny,allow

    Direc­to­ryIn­dex index.html index.html.var
    Access­File­Name .htaccess

    Order allow,deny
    Deny from all

    Type­sCon­fig conf/mime.types
    Default­Type text/plain

    MIMEMag­ic­File conf/magic

  • snip­tools


    Which folder do you wish to secure? I'll assume it is the "admin_phone" folder.

    1. Make sure your "Access­File­Name" com­mand is ABOVE any of the DIRECTORY directives.

    2. Make sure the .htac­cess file is in the "admin_phone" folder.

    Actu­ally, before you try an admin_phone folder, can you try the exam­ple men­tioned above, as-is, includ­ing the folder names etc?

  • Sean

    This tute was just what I needed, had spent nearly 1 week try­ing to make .htac­cess run locally like it does on my server, no joy atall ti'l I used this method of cre­at­ing the pass­word file, also using the .htacl exten­sion if the appache httpd file helped I think, muchos thankos for this. regards.


  • Riya

    Thanks for pro­vid­ing this great tutorial.


  • Brian

    Finally made it work — but the process was com­pli­cated by the exis­tance of "Vir­tual Hosts" on my server. And that part is not cov­ered here.

    In another set of instruc­tions (some­where), I remem­ber vaguely, that entries are to be made into that vir­tual hosts sec­tion, if that's where the por­tion of the server and host to be secured is located. Noth­ing worked (no username/password chal­lenge) until I added lines to the main Httpd.conf sec­tion just under "Access­File­Name .htac­cess" line up there.

    Any­way, I got quite con­fused over all this and would appre­ci­ate some spe­cific instruc­tions when "Vir­tual Hosts" is involved.



  • Pierre

    Great tuto­r­ial, but i can't get it to work prop­erly, have tried sev­eral things with var­i­ous results, right now it doesn't ask for a password.

    Could any­one please help me?

  • Paul S

    jkue nailed it.…I had the same access prob­lem (for­bid­den) until I added the index file to the direc­tory that was pro­tected. Oth­er­wise the tuto­r­ial is excellent.

  • James

    I found the apache man­ual to be suf­f­i­cent for instruc­tions on .htac­cess and what to do, even for the begin­ner like me

  • Takrim

    This tuto­r­ial is really wonderful.I have gone through the steps and imple­mented the steps as stated by you. but i do not get any pop-up win­dow ask­ing for user­name and pswd.
    I am using Win2k with apache server.

  • TeDaDeS

    If any­one thinks its inse­cure to send your unen­crypted pass­word over, and over again to the web­site use these settings:

    — —  —  — —
    — —  —  — —
    AuthType Digest
    AuthDi­gest­File /u/soft/www/secure/.htpasswd
    auth­name "Secured Login"
    — —  —  — —

    This set­ting will enc­trypted your pass­word (MD5) before send­ing it to the web­site. Mind this: the data send/received are not encrypted!

    What is the use of this:
    When you receive a 401 error, you a promt to login. When you do, your browser will remind your pass­word so the next page will not promt you again. But your browser will log you in auto­mat­i­cally.
    You don't mind, but your pass­word will be send over-over and over again unen­crypted over the inter­net.
    A sim­ple net­work snif­fer could receive your inter­net traf­fic and retreive your pass­word.
    This set­ting will make that a bit harder to do.

    Mind this: Older browsers might not sup­port this fea­ture (IE 4.0&lower).

  • Lebanese_007

    TeDaDeS, where do you put this code?
    AuthType Digest
    AuthDi­gest­File /u/soft/www/secure/.htpasswd
    auth­name "Secured Login"

    i tried putting it in ht.acl and when i tried to access the site, the broswer gave me an error say­ing that "The server encoun­tered an inter­nal error or mis­con­fig­u­ra­tion and was unable to com­plete your request."

    any help please

  • LcF

    Does the paths work on long file name?

  • — Tech Gad­get Blog

    Restrict Access Using Htac­cess on Windows

    I wrote a sim­ple web appli­ca­tion for stock man­age­ment to be used inside the company(by only a staff). I got a request to imple­ment pass­word pro­tec­tion to the system.

    I do not want to mod­ify data­base and mod­ify the codes(and I am lazy 😛 ). So, the …

  • ixiel

    superb tuto­r­ial!

    to those who had prob­lem please try this tuto­r­ial as it is first.

    u will much under­stand the flow and eas­ier when you want to try your own setting.

    one more thing to remem­ber, try change to this set­ting in the IE > Tools > Inter­net Option > Tem­po­rary Inter­net Files > Choose every visit to the page.

    I man­aged to setup my own htac­cess. It works fine if i restart apache(after make adjust­ment to httpd file) & reload IE but fail when i click GO but­ton. So the workaround to this prob­lem is as above. ("Choose every visit to the page").

    Good luck!

    Thanx for this won­der­ful tuto­r­ial! Bravo!

  • Chimo

    I haven't see any­thing about the fact apache usu­ally for­bid all user to access .ht files. If you decide to use any­thing else than .htac­cess like :

    Access­File­Name foo.txt

    You should change this in httpd.conf :

    Order allow,deny
    Deny from all
    Sat­isfy All

    Accord­ing to this it also mean that you can place your password.txt in the same folder than .htac­cess and rename it to .htpasswd or .htanything_you_want. Nobody will be able to get it.

    In the case of foo.txt I guess the fol­low­ing should work:

    Order allow,deny
    Deny from all
    Sat­isfy All

    pass­word file can be some­thing like foo.txtpasswd

  • ete­gra­tion

    My error log shows

    "[Sat Feb 19 00:13:00 2005] [alert] [client] C:/Program Files/Apache Group/Apache2/htdocs/phpmyadmin/.htaccess: AuthUser­File takes 1 – 2 argu­ments, text file con­tain­ing user IDs and passwords"

    the passwd.txt is in C:/Program Files/Apache Group/Apache2/bin/ already but it seems it's return­ing an error say­ing it's not. Why?

    I'm try­ing to pro­tect C:/Program Files/Apache Group/Apache2/htdocs/phpmyadmin/

  • Paul D Wilson

    hey this might be stu­pid but I dont know the answer, and you guys seem to know a lot about it. Every­thing i have is work­ing fine, the tuto­r­ial for every­thing worked great. but i dont know what it should look like in my passwd.txt file. I know the user­name and pass goes in there, but ive tried to put

    user­name cat
    pass­word dog

    and noth­ing works. plus im sure its not encrypted, should I worry about that and if so ,what should I do about it?


  • Paul D Wilson

    Ok, I just posted some­thing, but I did the whole cmd prompt thing to encrypt the pass­word in the passwd file and it worked, per­fectly! but It wont let me in when I put in the info!


  • Megan

    I have man­aged to set up htac­cess on an exter­nally hosted web­site but am hav­ing trou­ble set­ting it up on the local machine. I think my prob­lem is with the direc­tory set­ting in .htaccess.

    The direc­tory to be pro­tected is:
    The pass­word file is called pass­wds and is in the direc­tory pass­words, i.e.:

    My apache server is under:
    C:\Program Files\PHP Home Edi­tion 2\Apache2

    Do I put in my AuthUser­File: "/private/passwords/passwds" (minus the ""),or;
    "localhost/private/passwords/passwds", or;
    "C:/www/private/passwords/passwds", or some other pos­si­bil­ity that hasn't occurred to me yet?

    I have set the httpd.conf file to "AllowOver­ride All" for the direc­tory C:/www, so the prompt box for login now shows up, but I sus­pect that it can­not find the pass­wds file which is why I can­not log in.

    Any advice would be appreciated.

    Megan :o)


    Great, Works just fine ! thanks for all .

  • snip­tools

    Megan, and oth­ers, please make sure that you're using the path to Apache as demon­strated in this tuto­r­ial. I know Apache installs into "c:\Program Files" which is the Win­dows default, but Pro­gram Filles has a space between the two words, which is a cause of headache in most occa­sions. If it's not too much of a bother, rein­stall your Apache to c:\apache or some­thing. And retry JUST AS SHOWN in the tuto­r­ial on this page. Let me know if prob­lems still persist.

  • Igor

    XP, Apache 1.3
    Cre­ate pass­words file:
    C:\oracle\splet\Apache\Apache\bin>htpasswd passwd.txt marko
    Auto­mat­i­cally using MD5 for­mat on Win­dows.
    New pass­word: *****
    Re-type new pass­word: *****
    Adding pass­word for user marko

    … and so on, for adding new users… (with­out –c) Pass­word for my marko is: marko

    2)Under htdocs cre­ate direc­tory: safe_dir

    Open Notepad, write:
    AuthUser­File c:/oracle/splet/apache/apache/bin/passwd.txt
    AuthType Basic
    Auth­Name "Safe dir 1"
    Require user marko metka

    Save as ht.acl into the safe_dir

    Open httpd.conf and find and change:

    # This con­trols which options the .htac­cess files in direc­to­ries can
    # over­ride. Can also be "All", or any com­bi­na­tion of "Options", "File­Info",
    # "Auth­Con­fig", and "Limit"
    ##AllowOver­ride None –com­ment it out
    AllowOver­ride All

    Cre­ate test.htm and save it in safe_dir

    Run Appache, test access to the test.htm

    Why orig­i­nal man­ual above did't work on my PC:
    I cre­ate ht.acl instead of .htac­cess
    I cre­ate passwd.txt instead of passwords


  • Tom

    Hi there,

    I've been try­ing to pro­tect access to a folder fol­low­ing the steps explained in the tuto­r­ial, but the prob­lem now is that I can still access the folder using my explorer. There's no box ask­ing me for y user­name and passwd…

    I did the fol­low­ing:
     – In my http.conf file, I added the following:

    Access­File­Name .htaccess

    AllowOver­ride All
    Options None
    Order deny,allow

    I cre­ated the passwd.txt file in the folder
    D:\Program Files\Apache Group\Apache2\bin

    After that I cre­ated the .htac­cess file con­tain­ing the fol­low­ing info:

    AuthUser­File "d:/Program Files/Apache Group/Apache2/bin/passwd.txt"
    Auth­Name "This is my secret area"
    AuthType Basic

    require valid-user

    I saved this file in the fol­low­ing folder:

    d:/Program Files/Apache Group/Apache2/htdocs/secure

    After that I stopped Apache and started it again.
    I opened my browser, typed in 'localhost/secure'.
    The con­tent in this folder was displayed.

    How can I solve this problem?


  • Alex­Coates

    I set up authen­ti­ca­tion on my site using your tuto­r­ial and I thank you very much. how­ever I have a ques­tion. I set up authen­ti­ca­tion on my machine run­ning Apache 1.3.33 and it works per­fectly. I tried to set it up on my friends machine run­ning Apache 1.3.27 and it only par­tially works. I copied all the set­tings from my machine to his and set up the aliases. When you try to go directly to the restricted file '', you are asked for a user­name and pass­word. How­ever if you click on a link from the cur­rent page to ' you are not prompted for a user­name and pass. Does any­one have an idea? Is this a bug with that ver­sion of apache and url re-directing? Any help would be nice…here is my con­fig set up:


    Access­File­Name ht.acl

    Scrip­tAl­ias /cgi/ "C:/computers/cgi/"

    AllowOver­ride All
    Options Exec­CGI
    Order deny,allow
    Allow from all

    ht.acl file:
    AuthUser­File C:/computers/passwd.txt
    Auth­Name "Enter user name to Edit"
    Authtype Basic

    require valid-user

    and my pass­word file is located C:/computers/passwd.txt

    This works fine if i go directly to the page or if i go using a link on my Instal­la­tion, but it doesn't ask for authen­ti­ca­tion on my friends when re-directed from another page. Any­one have an idea?
    Thanks Alot and great tuto­r­ial,

  • Sam

    Hey, I have fol­lowed this great tuto­r­ial but I was unsuc­cess­ful. I get to the pass­word prompt, but I can't get past that. I have an index.html as well.

  • joey

    can you do any for­mat­ting of that pass­word popup win­dow? change the font? mul­ti­ple lines? images?

  • snip­tools

    Hi Joey,

    The win­dow will most likely appear dif­fer­ently on dif­fer­ent browsers and dif­fer­ent OSes.

    Although you can change the mes­sage that a user sees by insert­ing a new­line char­ac­ter ("\n") in your Auth­Name text. This should allow mul­ti­ple lines.

    A cus­tomized login that coin­cides with the rest of your site is neat from a design point of view, I guess, but do you really want to spend that much time on a login screen that a user spends no more than a sec­ond on? Espe­cially with all mod­ern browsers sup­port­ing "Remem­ber pass­word" functionality.

    FWIW, you can cus­tomize the error mes­sage that appears if the user can­cels the login by cus­tomiz­ing Apache's Autho­riza­tion Required (401) page.


  • Sameer Pal Singh

    Dear Sir,

    I was stuck in my office for this rea­son, i was not able to do make pass­word pro­tected direc­tory on client's site. i got this page from google and i tried, hoooray it is fan­tas­tic i done it. thank you for CEO, developers…of this site. and i m very glad to see the Indian name below this page Mr. Shashank Tri­pathi as as Indian. Thanks a lot to every­body there.

    Thanks & Rgds,
    Sameer Pal Singh

  • Liz

    I must agree this is an awe­some post and was very help­ful. I fol­lowed the steps although once every­thing was com­plete and I went to see if it would ask­ing me for user­name and pass­word it didn't. Im not sure what's exactly wrong. Im run­ning win­dows 2000 and apache 2.0.53 If some­one might be able to point out what's wrong that would be great.

  • snip­tools

    Liz, oth­ers for whom the tuto­r­ial doesn't work. Please make sure you have the paths in your files prop­erly spec­i­fied and put inside dou­ble quotes if you have spaces in your folder names.

    For instance, on my Apache2, my .htac­cess file looks like this:

    — —  — -
    AuthUser­File "d:\Program Files\Apache\Apache\bin\passwd.txt"
    Auth­Name "Secret area"
    AuthType Basic
    <Limit GET POST>
    require valid-user
    — —  — -

    And my httpd.conf entry looks like this:

    — —  — -
    <Direc­tory "d:/program files/apache group/apache2/htdocs/sniptools/secure">
    AllowOver­ride All
    Options None
    Order deny,allow
    — —  — -

  • Rad­i­ca­tor

    Excel­lent tuto­r­ial. I fol­lowed your instruc­tions and it worked first time per­fectly on my WinXP machine.

    I'd been search­ing for a good expla­na­tion of how to do this for some time and this one actu­ally did the trick.

    Thank you!

  • Tormu

    Thanks, this one really helped, I did know how to pro­tect the direc­tory in other web­spaces, but this one showed me what to do with the apache conf on my own web server :)


    Dude thanks very much for this very imfor­ma­tive + view of the cre­ated .acl files is a great advan­tage. Just out of inter­est how secure is using this method?

  • Chris

    Great writeup! How­ever, I noticed with Apache2, Apache uses the "httpd.default" .conf file instead of the httpd one. I don't know if this is just me, but just thought I'd share, because I was hav­ing fits get­ting it to work until I real­ized this.

  • twig

    thanks for that very detailed tuto­r­ial!
    got my server pro­tected very quickly!

  • Mark

    Cheers for the easy-to-follow instructions.

    I have man­aged to get the thing work­ing, but I have to enter the username/password twice, in iden­ti­cal login win­dows, before Apache will let me in. Not a seri­ous prob­lem but a minor irri­ta­tion that I would like to deal with if any­one can help.

  • WDR

    I have do like your instruc­tion with Apache 2.0.55 but can not ! when I log in to http://localhost every­thing as nor­mally with­out pass­word pro­tecd ! Could you please help me !


  • Ray

    Hav­ing some trou­ble.
    run­ning Win xp pro ser­vice pack 1

    .htac­cess file looks like this

    AuthUser­File C:/Apache Group/Apache2/bin/.htpasswd
    Auth­Name "Mem­bers Area"
    AuthType Basic

    required Valid-user

    con­fig file looks like this

    Access­File­Name .htaccess

    AllowOver­Ride All
    Options None
    Order deny,allow

    When I try to test it , it gives me a 500 inter­nal error

    Can any­body help

    sub­ject .htaccess

    thanks in advance

  • miro

    In the .htac­ces file I have:

    AuthUser­File D:\streznik\www\reiki\.htpasswd
    Auth­Name "Mem­bers"
    AuthType Basic

    require valid-user

    and in the .htpasswd I have:


    Cre­ated by com­mand prompt :
    htpasswd –c –b .htpasswd admin test

    it gives me 500 inter­nal error with the com­ment in the error log:

    d:/streznik/www/reiki/.htpasswd: Invalid com­mand 'admin:$apr1$Qh/.….$zBrg27pYbkwKIWypvMQQ6.', per­haps mis-spelled or defined by a mod­ule not included in the server configuration

    Direc­torz settings:

    Doc­u­men­t­Root "D:\streznik\www\reiki"

    # Other direc­tives here

    AllowOver­ride Auth­Con­fig
    Options None
    Order deny,allow

    I also tried with AllowOver­ride All, but noth­ing changed.

    I have Apache 1.3 on Win­dows 2000. It's pretty rare con­fig­u­ra­tion and I'm not sure that .ht files works there. Can you help me? I would like to stay on this con­fig­u­ra­tion, because I'm not famil­iar with *nix systems.

    Please help.

  • Dave

    I've have many of the same "For­bid­den" errors you have all had. Finally fig­ured it out. I assume most of you are view­ing Direc­tory Indexes…


    You need to have the fol­low­ing instead:
    AllowOver­ride All
    Options Indexes None
    Order deny,allow

    With­out "Indexes" you will lose access to the direc­tory views once you login.

  • Man­gal

    Hi ,

    I tried with the above tuto­r­ial . I found inter­nal server error.When i checked my error log i found foll­wing statements:

    /stage/app/reportsdata/.htaccess: Invalid com­mand 'AuthUser­File', per­haps mis-spelled or defined by a mod­ule not included in the server configuration.

    As i am sure AuthUser­File is not mis-spelled . The 2nd one tells about the required mod­ule. If any­body has any idea on this mod­ule please help me out.

  • snip­tools

    Man­gal– in the mod­ules sec­tion of your httpd.conf, is the fol­low­ing mod­ule enabled (does not have the hash sign at the begin­ning of the line) — mod_auth_db? Shashank

  • Man­gal

    Thanks Shashank.

    Now i am get­ting the user­name and pass­word pop up.When i am giv­ing the user­name and pass­word as i have cre­ated in the passwd.txt file, it failed.I tried all the steps once agin but the found no result.Can You sug­gest something.

  • snip­tools

    If the pass­word isn't work­ing, your pass­word file is either being saved in the wrong place, i.e., it is not con­sis­tent with the path in the ht.acl (under the sec­tion "AuthUser­File"), or you are enter­ing the pass­word incorrectly.

  • Vin­centT

    Top tuto­r­ial! I have been try­ing to get this htac­cess thing work­ing for sev­eral weeks now, but noth­ing worked. The very first time I did things accord­ing to this tuto­r­ial it worked right on! Great!


  • Mauri­cio GarcÃa

    Thanks for all, this tuto­r­ial is very easy, and good, i am not use .htac­ces all con­fig­u­ra­tion in the con­fig file httpd.conf

    : = )

  • Jérémie

    Thanks a lot for your suc­cint and pre­cise help.

  • Lsa

    Hi Shashank,
    I've got Apache 2/php5/mysql5 run­ning on Win­dows 2003. I 'm inter­ested in cre­at­ing web­sites for each of our staff mem­bers – say about 50 users. These web­sites will not be pub­licly avail­able, they will mir­ror web­sites on our pub­lic web­site, and once the infor­ma­tion has been approved the files will be trans­ferred to their dupli­cate pub­lic sites by the administrator.

    My ques­tion, is this htac­cess authen­ti­ca­tion method the way to pass­word pro­tect these "not pub­lic" direc­to­ries? I've got a basic under­stand­ing of namevir­tu­al­hosts but I'm very con­fused on how to set-up Apache for mul­ti­ple users with dif­fer­ent pass­words. And if pos­si­ble, I'd like it to be setup so that these folks can use their exist­ing net­work passwords.

    Any assis­tance or direc­tion you can pro­vide would be GREATLY appre­ci­ated, I'm googled out and I still don't know what approach to take.

  • sha­jil

    I have fol­lowed the step which you have given i am get­ting the win­dow ask­ing for the user­name and pass­word, i have given the user­name and pass­word that i have cre­ated on passwd.txt also cre­ated ht.acl file inside the secure folder

    My prob­lem is login car­dinels are not val­i­dat­ing pls advise me for the same

  • Petrucci

    Hi guys, i fol­lowed the tuto­r­ial, and i think im doing exactly as it says, but it doesnt work, the pass­word box is not prompting.

    here is my htac­cess file

    AuthUser­File "c:/apache2/bin/passwd.txt"
    Auth­Name "lalalal"
    AuthType Basic

    requiere valid-user

  • Yayan

    hii frend i have try it but when i restart the apache still zero ,no change i use win­dows 2000 pro­fe­sional,
    and this con­fig­u­ra­tion
    any body help me

  • Marco

    Thank you for the quick-manual! Helped me get the .htac­cess to work also in Win­dows! Tooks some loooooongs nights to tweak this out :-)

    One thing that was keep­ing me unsuc­cess­full was that I used those long file­names in the paths, e.g.

    C:\Program Files\Apache Soft­ware Foundation\Apache2.2\htdocs

    but after chang­ing them all (includ­ing the path to the pass­word file) to "DOS-Friendly" the sys­tem started to work with­out any prob­lems — e.g.


  • Sander Thalen

    Just a thank you. It works as described for.

  • Chris

    Thanks alot Marco

  • Alexan­der de Boer

    Nice tuto­r­ial, but I have one prob­lem. I con­fig­ured my Apache and now all my sites get an 403 error and at no one a prompt to login.

  • newjim

    I can get the Apache chal­lenge box to come up, but it does not accept my pass­word, but keeps pop­ping up the chal­lenge box.

    This also occurs when I pop up the chal­lenge box directly, that is, with­out hav­ing an .htac­cess file:

    The prob­lem is that when I add the login and pass­word, there is no $_SERVER[PHP_AUTH_USER] or $_SERVER[PHP_AUTH_PW]. I can con­firm that by com­ment­ing out the lines above, inserting:


    and sub­mit­ting the Apache chal­lenge box. The dis­play of print_r does not include vari­ables for PHP_AUTH_USER or PHP_AUTH_PW.

    I'm using Apache 2.0 and PHP 5.1.4

  • newjim

    I answer my own question:

    The box that I was work­ing on had PHP installed as a CGI exe­cutable. When you load PHP as a mod­ule, as indi­cated in the tuto­r­ial, it works, even on Windows.

  • relay_denied

    Thank you very much! This worked fine on my WinXP Home w/ Apache 2.2.2, PHP 5.1.4, i.e. 6, Fire­fox 1.5. all on my hum­ble lit­tle note­book. I am amazed this thread is over 3 years old. Thanx for stick­ing with it and help­ing all of us either get­ting back on board or just break­ing in!

  • anand

    nice tuto­r­ial

    but my user­name and pass­word is not work­ing. it just say ur not authorised.

  • vita

    thank you man!!!! you really help me with this small tutorial.everything work­ing great.

  • thien­hat

    i have prob­lem with for­bid­den erros

    and I check my logs error

    here it is
    [Wed Aug 02 11:36:47 2006] [error] [client] File does not exist: C:/Apache2/htdocs/favicon.ico, ref­erer: http://localhost/

    where do i get favicon.ico

    please help

  • Habib


    Can some­body help me with my prob­lem. I cre­ated one of those web sites that will ask you for your pass word on Win­dows. How­ever, when I enter the pass­word, it looks like that the pass word is not rec­og­nized. I am not sure what I am doing wrong.

    Thanks for your help.

  • Ricky


    I keep get­ting an "Inter­nal Server error" . Other pages on my web­server can be accessed but this error shows when i try to access the 'secure' folder.
    My .htac­cess file is exactly the same as in the steps above.

    Any advice will be much appreciated.


  • Dan W

    I fol­lowed the instruc­tions to the let­ter and still get a "500 Inter­nal Server Error" when I tried to access the "secure" folder. Error file shows the fol­low­ing line:

    [alert] [client 192.XXX.XXX.X] C:/Program Files/XXXXXXXXXXX/ht.acl: AuthUser­File takes 1 – 2 argu­ments, text file con­tain­ing user IDs and passwords

    Run­ning Apache 2.0.55 with PHP 4.4.3 installed on a Win2k Server box. The passwd.txt file in the /bin/ con­tains my cho­sen user­name and the encrypted password.

  • phil

    Hello, I am try­ing to get pass­word pro­tec­tion work­ing on my apache win­dows 2000 sys­tem.
    I have fol­lowed every­thing exactly as the tuto­r­ial and read many other web help pages, how­ever I only get "403 for­bid­den you are not autho­rised to view this page" errors when I try to enter the pass­word pro­tected folder.

    My con­fig file is uploaded here:

    My htac­cess file is uploaded here:

    Can some­one please help me out. PLEASE SOMEONE help me. I have been try­ing for hours.

  • Neo

    This tuto­r­ial is fab­u­lous, It works for me. Thanks for all the great effort to depict things so nicely

  • espido

    hi. i'm from lima peru. inter­est­ing the manual.

  • TNT

    Hey! I've solved this prob­lem!!! I just had to skip the step 4. Now every­thing works just per­fect! Thanks for the tutorial!

  • David

    Great tuto­r­ial, but couldn't get it to work — kept deny­ing my username/password … until I read down the com­ments and found Dave's post some 15 months ago:

    "I’ve have many of the same For­bid­den errors you have all had. Finally fig­ured it out. I assume most of you are view­ing Direc­tory Indexes.
    So you need to have the fol­low­ing instead:
    AllowOver­ride All
    Options Indexes None
    Order deny,allow
    With­out "Indexes" you will lose access to the direc­tory views once you login."

    Yes, I was view­ing direc­to­ries and this fixed it for me. In the httdp.conf, "Options None" needs to be changed to "Options Indexes None".

    Thanks Dave for resolv­ing this for me  — and thanks to who­ever is respon­si­ble for keep­ing this thread open for so long!

  • joe

    ok i got the pass word work­ing and all but i enterd it in wrong one time and now it wont let me enter it agin and it says forbe­den every time i try to here is what the error log says hope u can help
    [Fri Apr 27 00:22:58 2007] [error] [client] Direc­tory index for­bid­den by Options direc­tive: C:/Apache2.2/htdocs/pass/, ref­erer: http://localhost/

    p.s i know my eng­lish is bad

  • don­voni

    Ive set up an Apache2 server on my WinXP home machine. its all goodie until i want to access my /secure folder. then i get a user/password request win­dow. but it wont accept my user login. after 3 tries i get "Autho­riza­tion Required" mes­sage. plz help. ive tried every­thing thats been said until this post =)

  • Jesse

    For those who do NOT get a user/pass window:

    Make sure that you set "AllowOver­ride" to "All" instead of "None" inside httpd.conf (not just in .htac­cess). The "AllowOver­ride" set­ting might occur a cou­ple of times, so make sure you set all that are needed. For exam­ple the "AllowOver­ride" set­tings in the directive


  • Arial

    Nice guide. Took me a lit­tle while to fig­ure out that this just doesn't work with when try­ing to access index direc­tory list­ing. You must point to a spe­cific page or file or else you will get a restricted error.
    Few have posted fixes for this with a sim­ple change in the conf file, but for my need, just includ­ing an index.html file. That is all I wanted in the first place.

  • Yuvaraj

    Thanks a mil­lion mate.. this guide helped me a lot to com­plete my assignment :)

    thanks again

  • Gau­rang


    I have the same prob­lem with my web­site pro­tec­tion. Enter­ing cor­rect user name and pass­word gives me FORBIDDEN message.

    Please advise me which part of httpd.conf would you like to see. I can show it to you.


  • Gau­rang


    Really a nice tuto­r­ial. Got it per­fectly but after apply­ing all the set­tings now get­ting for­bid­den mes­sage. Same prob­lem occured many times above with oth­ers so I guess I will surely get solu­tions sooner.


  • Gau­rang


    Get­ting the same error msg FORBIDDEN. Done every­thing cor­rectly as instructed above.

    Please help. Thx in advance.


  • TheAce

    Hi!, i'm using win­dows vista ulti­mate with Apache 2.2.3 + PHP 5.2.4 and i have a warn­ing to say:
    Inside the .htac­cess the passwd.txt PATH must be declared with " "

  • Hall


    This works fine on my lap­top with xp/apache

    But when I do excatly the same with the right steps and paths on the com­puter of a friend with apache/xp than apache ser­vice fails to restart !!!

    Do you have any idee what the prob­lem might be ?

    Regards from Holland,


  • BitchX

    Hall — you need to check the apache error log, and the win­dows appli­ca­tion log and it will show you the answer.

  • Tony

    I googled for a full day try­ing to get this right. Wish I would've found this page first! Thanks a million!!!!!

  • Alper Ã – ZCAN

    A lot of things (like .htac­cess prob­lem in Win­dows Server, httpd.conf AllowOver­ride str­ring etc..) has a prob­lem for me for a while.

    But i googled around the world. Only this page & some com­ments helps a lot!

    Big thank you "snip­tools"! I like you!

  • tcas­sio

    I have a prob­lem and can't find the answer any­where, maybe you can help.
    I am run­ning the lat­est ver­sion of XAMPP setup on a win­dows XP machine.
    I have htac­cess work­ing okay. I gen­er­ated the pass­words using the htpasswd.exe file in the Apache/bin folder.

    Here is my prob­lem.
    I was look­ing for a web based man­ager to man­age users. The ones I have tried all have been PHP based. The prob­lem is that the pass­words that are gen­er­ated through PHP are dif­fer­ent than the ones cre­ated using the htpasswd.exe file in the Apache/bin folder. As a results when I am prompted to login the pass­words do not work.

    It appears that the pass­word that is entered at the login prompt are dif­fer­ent that thoes cre­ated thru PHP.

    Is there a set­ting in Win­dows that is caus­ing this?
    Is there some­thing that I need to set in PHP to fix this?


    Thanks you but i am find to who to active htac­cess file on apache web server on win­dows server. Please help to this sub­ject :S

  • Shawn

    Great tuto­r­ial. I am how­ever get­ting a sim­i­lar error mes­sage that Man­gal got. I am get­ting an invalid com­mand "AuthUse­File" mes­sage. I checked my .conf file and found that

    Load­Mod­ule auth_basic_module libexec/apache22/

    is uncom­mented. Any ideas?

  • andie

    i'm try­ing to over­write the file httpd.conf but it won't let me… It saya i don't have the per­mis­sion to save on it. What can i do?

  • Karl Bishop

    Hi, thanks for the tuto­r­ial. I've just been doing this and it worked for restrict­ing access to php/html files within 'my secret area', but for some rea­son I can still enter names of zip files into my address bar and Fire­fox will let me down­load them. Do you know how I can stop this?

  • Jerry

    Thank you so much, you made it so easy to use!

  • amira_fcis

    hi .…first of all ur tuto­r­ial is more than help­ful and sim­ple..
    i fol­low it exactly more once on dif­fer­ent fold­ers but i still access these fold­ers..
    could u rec­om­mend me to do any­thing…

  • sal­ihkm

    Good doc­u­ment.
    Ini­tially it didn't worked as I put the ht.acl doc­u­ment in conf folder itself
    then i put the ht.acl in htdocs itself. then it worked.

    how can i pro­tect more than one folder?

    please mail me to

  • Lee Wright

    Thanks for the great tuto­r­ial, snip­tools.
    I get as far as the user­name pass­word dia­log box, but, some­how not allow­ing access, if you will, please take a look at the .htac­cess file and make any rec­om­men­da­tions, please? thanks.
    Some­how i can­not find your email address.
    Please con­tact me
    and i will respond with the .htac­cess file, thanks again.

  • http://www.weboceanbiz.6x,to Tejas Tank

    this is such excel­lent doc­u­ment for sys­tem admin

    but i have problem

    that in my win­dow server WAMP

    reweriterule not working ??

    i want that with win server

  • Palla­van

    Work­ing great in Win­dows Xp..

  • Wal­ter

    Worked per­fectly for me with WAMP

  • john

    I am not able to get the pass­word authen­ti­ca­tion to work on my win­dows 7 (64 bit).

    —Below is the entry in my .htac­cess file:

    AuthUser­File "C:/Program Files (x86)/Apache Soft­ware Foundation/Apache2.2/bin/.htpasswd"
    Auth­Name "Pri­vate Net­work Login Pass­word Required"
    AuthType Basic

    require valid-user

    — —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  —  — —
    –Below is my entry in the httpd.conf file

    #STEP 1. Check for the ACCESSFILENAME direc­tive. On Win­dows, let us
    # also add the "ht.acl" because although any XP allows me to
    # save a file with ".htac­cess" some erlier ver­sions may not
    # allow for it.
    Access­File­Name .htaccess

    #STEP 2. Cre­ate a DIRECTORY direc­tive for the direc­tory that you want
    # to password-protect. My e.g., a filed called "SECURE" inside
    # the root apache folder.

    AllowOver­ride All
    Options None
    Order deny,allow

    ~Any assis­tance is greatly appre­ci­ated. Thanks in advance.

  • Zahid Hus­sein

    I installed apache web server on vista at my home desk­top to run my site to show­case my pho­tos. Your instruc­tions helped me to pass­word pro­tect my fold­ers. Its the eas­i­est way to use .htac­cess on WAMP.
    Mant thanks

  • James

    Thanks much !!! I lost about an hour or so before find­ing this article…and the pro­ce­dure worked per­fectly on my WinXP/Apache machine.

  • Mar­tyn

    I tried the imple­men­ta­tion shown, and it would not seem to have made any change to my sim­ple (sin­gle page appli­ca­tion).
    I tried it with the .htac­cess file, then tried it with acl.htaccess just incase.

    AuthUser­File "C:/Program Files (x86)/Apache Soft­ware Foundation/Apache2.2/bin/passwd.txt"
    Auth­Name "User Login Data"
    AuthType Basic

    require valid-user

  • Mar­tyn

    For­got one more thing:
    Assum­ing I get this to work, what would need to change so that I could val­i­date against the win­dows logon data instead of a flat file?

  • Pingback: Windows下apache+.htaccess认证的设置 | Wang Jun's Blog()

  • Kevin Albs

    Thanks so much for the arti­cle how­ever I only got it work­ing by adding dou­ble quotes around the AuthUser­File. It was giv­ing me a 500 server error until I did put the quotes around. (as for your exam­ple it would be "c;/apache/bind/passwd.txt").

  • Mau­ri­tius

    I am try­ing to use .htac­cess to block a spe­cific coun­try to access my web­site, but my .htac­cess does not work at all. Please help me.

  • nico­las

    Great Work! Thanks a lot!

  • Nazrul Islam

    .htac­cess file is not work­ing for URL rewrite , any body help me…?

  • vicky

    hi i cre­ated my .htac­cess but the file passwd.txt is not being cre­ated in bin direc­tory by using –c –b passwrd.txt user­name and pass­word i did it sev­erl times but the file is not cre­ated and when i look from my browser to localhost/secure it shows error 403 for­bid­den access but it dosent ask for user­name and pass­word …HELPPPPP

  • Lol & co

    Hey! I am try­ing to use my .htac­cess to block my neigh­bor to park his car on my park­ing lot but my .htac­cess does not work at all. Please help me.