by Howard B. Richman
Webmasters can now implement password-protected pages without Telnet access to sell all downloadable products. We will explain how-to create access authorization using only FTP. This will be helpful to most webmasters who want to create authentication files but who do not have Telnet. Unfortunately, most of the restricted access tutorials assume that the webmaster can use Telnet, which of course, is not true. Now you can sell your software, documents, images and music — online. You can easily protect files and directories that require the use of a username and password, and you don’t have to be a computer programmer to do it!
See what others say about this free information.
Requirements.
You own the domain name and maintain the site.
Your site is posted on a UNIX server. (It’s possible that these tips may work on other servers.)
You have FTP access. If you don’t have an FTP program, you can get one from http://www.ipswitch.com/
Here’s How To Do It.
We will be creating three separate files contained in two separate directories on your website. Please note: Elements in red bold should be replaced with your customizations.
http://www.yourdomain.com/protect/product1/index.htm
http://www.yourdomain/hidden/product1/.htpasswd
http://www.yourdomain.com/protect/product1/.htaccess
Notice that the last directory of each filepath has “ /product1/” in common. The reason for this is so that later, when you add additional products, it will be easier to create a unique username and passcode for each of your downloadable products, and to keep track of it all. Just rename the /product1/ directory with the names of each of your additional products.
1) Create the page(s) you want protected. This could be anything you want limited access to. For example, it could be a special document, or an image, a music file, software, or anything. Name the page:
http://www.yourdomain.com/protect/product1/index.htm
Publish (upload) it in the normal way you would publish any other web page. Notice that the directory, “/protect/” is a dedicated directory just for password-protected files. (You could name it anything you want.) Repeat this process for each page or file you want protected.
2) Create the .htpasswd file. This is the file that contains the secret username(s) and password(s) that corresponds to the page you want to protect. We do two things to help prevent people from discovering this information. (1) The password is encrypted. (2) The file itself is hidden in a different directory than the one of the page being protected.
First, we have to create the encryption: If we had Telnet access, there is a procedure to use the unix apache server to create the crypt code needed, right on your own server. Since most webmasters do not have Telnet access, you can build the appropriate encryption by going to the following free website:
http://cobalt.golden.net/generator/index.cgi
Just type in the username and the password you have chosen for the page you want to restrict.
username is “howard”
password is “opensesame”
After running it through the encryption, you get:
howard:9lljfi88eqp5s
(Please note that everytime you run the same username and password, you end up with a different encrypted password. This is the whole point of encryption! But they all will work!)
If you want to allow multiple username and passwords to be able to access the same directory, just list them on top of one another like this:
howard:9lljfi88eqp5s
harry:62dI0B3riwv6g
cindy:46Of11oy.hmss
jim:85xYleVHLYe0M
Theoretically there is no limit, but it does slow things down a bit if you have too many listed.
Copy and paste this combination (username matched with encrypted password) into a simple text file.
Now save the file. Windows does not allow you to save a file beginning with a “.” So just save it as “htpasswd.txt” and change the name remotely after you FTP it.
Upload the file to the “/hidden/product1/” directory on your site using your FTP program. (You must use in ASCII mode for this or it won’t work!)
Now, remotely change the name of the file to “.htpasswd”
Finally, you must now use the CHMOD command through your FTP program to set the permissions of the directory where this file is stored to CHMOD 640. This allows the server to read it and only YOU to change it but nobody else! Click here on more info on CHMOD.
3) Create the .htaccess file. This is the file that does the magic. When the browser detects this file, it will display a request for username and passcode before allowing a visitor to see the desired file. This file affects the directory and all sub-directories in which it is placed.
In a new text file, type the following:
AuthUserFile /home/yourdomain/docs/hidden/product1/.htpasswd
AuthGroupFile /dev/null
AuthName Restricted Access
AuthType Basic
<Limit GET>
require valid-user
</Limit>
How it Works.
AuthUserFile tells the server that it will find the file containing the passwords (.htpasswd) in the directory called /hidden/product1/
It needs to be the full UNIX pathname of where the .htpasswd file is stored. Your web host can provide you with this information.
AuthGroupFile tells the server where to find the group file. You only need a group file if you have multiple usernames associated with a single password for the same password-protected page. ( It contains only user names and doesn’t hold password information.) Just leave it as /dev/null to leave this function unused.
AuthName specifies what shows up on the entry box when the browser asks the user to enter a password. You can write whatever you want here, but “Restricted Access” is the most common.
AuthType describes the type of authentication we’re using. In this case, it’s “Basic.”
<Limit GET> is an HTTP request for a file that is sent by a browser to a server. This line limits the power of GET by saying that only the valid user may look at files in this directory. If you want to allow other methods (particularly in CGI directories), you can specify them separated by spaces in the LIMIT directive. (LIMIT GET POST PUT)
Add one blank line at the end of the .htaccess file or it won’t work!
There must not be any spaces or special characters after any of the lines.
Now save the file. Windows does not allow you to save a file beginning with a “.” So just save it as “htaccess.txt” and change the name remotely after you FTP it.
Upload this file to the “/protect/product1/” directory on your site using your FTP program. (You must use in ASCII mode for this or it won’t work!)
Now, remotely change the name of the file to “.htaccess”
Finally, you must now use the CHMOD command through your FTP program to set the permissions of the directory where this file is stored to CHMOD 755. Click here on more info on CHMOD.
Now, when someone attempts to access the password-protected page, their browser will display a request for “authentication.” The user must type in the correct username and passcode. Once this is done, they will gain immediate access to the desired page.
Repeat the above process for any web page or file you wish to have restricted access.
NOTE: This information is mostly for people who are creating web pages using an html editor or who write code directly. IF YOU ARE USING WORDPRESS OR OTHER METHODS TO MAKE YOUR SITE, THERE IS LIKELY A BUILT-IN OPTION TO PASSWORD-PROTECT ANY PAGE, SO THIS INFORMATION MAY NOT BE NECESSARY FOR YOU!
Automate Your Sales.
You can automate your sales if you use the above password -protection technique in conjunction with an Digital Product Delivery Interface, connected to a shopping cart. This way, people can select the product they want, pay for it online, immediately be issued the username and password to access the product, receive email confirmation of all this, and then access the product — all without requiring your attention! The money gets deposited to your bank account, while you can be off creating more products (If not finally taking a vacation).