.htaccess and .htpasswd files
Most Apache webservers allow you to upload two files into any folder you want to protect. The file named '.htaccess' can contain some rules about who is allowed to see the pages in the folder, and the .htpasswd file can be used to set passwords for individual users. So a first option is just to upload such files to your webserver by hand.
The drawback is that every time you need something changed (add a new user, protect a certain folder...) you need to upload these files again. Not very user friendly.
What is in them?
The structure of these files is actually pretty simple. An .htaccess file often looks like this:
The .htpasswd file is even simpler. It contains a list of usernames followed by a colon followed by the (encrypted) password of each user.
As you can see, most of the information in these files can easily be generated using Movable Type's template tags. You could, for example, create an index template that generates '.htaccess' as its outfile, with following contents:
And now the .htpasswd file
For the .htpasswd file, things are a bit more complex, but not much. First, to determine who has access, you use an <mt:authors> loop to go over all authors linked to the blog. The beauty here is that you can add attributes to this tag so you can select exactly those authors you want: having a certain role, a certain username, having published an entry...
For the second line, you need the encrypted password. Fortunatly Movable Type stores passwords in the same way that is used in .htpasswd files, so it is just a question of getting the (encrypted) passwords out of the database. There is no built-in template tag for this, but if you download and install the AuthorPassword plugin, a new tag <mt:authorpassword> becomes available that does just that: display the encrypted password of the author in context. (Download AuthorPassword.zip here).
So after installing the plugin, create another index template with .htpasswd as the output file this time:
A note about security
You should not publish the encrypted passwords in public anywhere. In most apache installations, the contents of the .htpasswd file cannot be viewed by visitors of your site anyway. But if you start using the <mt:authorpassword> tag on publicly viewable pages, bad things might happen.
In itself, the encrypted password is useless. You cannot decrypt it again to find the actual password. But hackers are know to have built large dictionnaries containing the encrypted and unencrypted forms of vast amounts of passwords, so if the password is a common word or phrase the odds are good some hacker only needs to make a quick lookup to find the actual password.
Most Apache webservers allow you to upload two files into any folder you want to protect. The file named '.htaccess' can contain some rules about who is allowed to see the pages in the folder, and the .htpasswd file can be used to set passwords for individual users. So a first option is just to upload such files to your webserver by hand.
The drawback is that every time you need something changed (add a new user, protect a certain folder...) you need to upload these files again. Not very user friendly.
What is in them?
The structure of these files is actually pretty simple. An .htaccess file often looks like this:
AuthUserFile /home/pathto/.htpasswdAll this says is that any file or script in the current folder can only be accessed by logged in users, and the names of these users are in the .htpasswd file
AuthType Basic
AuthName "Secret Place"
<LIMIT GET POST>
require valid-user
</LIMIT>
The .htpasswd file is even simpler. It contains a list of usernames followed by a colon followed by the (encrypted) password of each user.
joe:sdo932FsdGenerating these files with Movable Type: first, the .htaccess file
jack:gx4kl895
william:lm61dids
As you can see, most of the information in these files can easily be generated using Movable Type's template tags. You could, for example, create an index template that generates '.htaccess' as its outfile, with following contents:
AuthUserFile <mt:blogsitepath>.htpasswdThis would publish an .htaccess file that controls access to the current folder. Of course, you could publish this file into a sub-folder (or multiple sub-folders) as well, if you wanted just to protect certain categories, for example.
AuthName "Enter your username and password"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
And now the .htpasswd file
For the .htpasswd file, things are a bit more complex, but not much. First, to determine who has access, you use an <mt:authors> loop to go over all authors linked to the blog. The beauty here is that you can add attributes to this tag so you can select exactly those authors you want: having a certain role, a certain username, having published an entry...
For the second line, you need the encrypted password. Fortunatly Movable Type stores passwords in the same way that is used in .htpasswd files, so it is just a question of getting the (encrypted) passwords out of the database. There is no built-in template tag for this, but if you download and install the AuthorPassword plugin, a new tag <mt:authorpassword> becomes available that does just that: display the encrypted password of the author in context. (Download AuthorPassword.zip here).
So after installing the plugin, create another index template with .htpasswd as the output file this time:
<mt:authors roles="Authorized Viewer" need_entry="0">In this particular example, all users on the blog with the 'Authorized Viewer' role will be able to see the protected section.
<mt:authorname>:<mt:authorpassword>
</mt:authors>
A note about security
You should not publish the encrypted passwords in public anywhere. In most apache installations, the contents of the .htpasswd file cannot be viewed by visitors of your site anyway. But if you start using the <mt:authorpassword> tag on publicly viewable pages, bad things might happen.
In itself, the encrypted password is useless. You cannot decrypt it again to find the actual password. But hackers are know to have built large dictionnaries containing the encrypted and unencrypted forms of vast amounts of passwords, so if the password is a common word or phrase the odds are good some hacker only needs to make a quick lookup to find the actual password.
Leave a comment