Why .htaccess and .htpasswd does not accept my log-in info

Question

My Question

Why .htaccess and .htpasswd does not accept my log-in info?

My sources to learn what should I do

1. http://www.addedbytes.com/blog/code/password-protect-a-directory-with-htaccess/
2. http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/

What I Did?

I took my full path info from phpinfo()

full path to my root: /home/userid/public_html

I put my .htpasswd into root folder (public_html) so full path to my .htpasswd: /home/userid/public_html/.htpasswd

my admin folder name that I want to protect via password: adminfolder

I put my adminfolder into root folder (public_html)

Folder Structure

public_html
---- .htaccess {permission: -rw-r--r--}
---- .htpasswd {permission: -rw-r--r--}
---- adminfolder {permission: drwxr-xr-x}
---- ---- .htaccess {permission: -rw-r--r--}
---- ---- other secret files {permission: -rw-r--r--}

.htaccess code (the one in adminfolder)

AuthUserFile /home/userid/public_html/.htpasswd
AuthName "Log In"
AuthType Basic
Require valid-user

.htpasswd code

note: This the encrypted version of my raw password.

admin:zv.sqVSz3W1nk

.htaccess code (the one just in public_html)

RewriteEngine On
RewriteBase /

#always use www - redirect non-www to www permanently
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{HTTPS}s on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


# hotlink protection
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.p.ht [NC]
RewriteRule \.(jpg|jpeg|png|gif|css|js)$ - [NC,F,L]

# compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

# File caching is another famous approach in optimizing website loading time
<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|js|css|pdf)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>

# disable directory browsing
Options All -Indexes

# secure htaccess file
<Files .htaccess>
 order allow,deny
 deny from all
</Files>

# secure spesific files
<Files a_secret_file.php>
 order allow,deny
 deny from all
</Files>

#SEO friendly linking
...
...

I checked

1. my fullpath info
2. username - raw and encrypted passwords
3. codings
4. all my files are prepared in notepad++ & encoded UTF-8 without BOM

Lastly

I tried at chrome. I entered username + non-encrypted raw password. Chrome asked me to log-in again.

then I cleared all cache of IE. Again I entered username + non-encrypted password. IE also asked me to log-in again.

Can you please correct me? thanks, BR

Answer 1

This issue is because your server might uses different algorithm to encrypt/decrypt the password, you can test different password combination from different algorithm in order to find-out the correct one.

Please see this site: http://aspirine.org/htpasswd_en.html

It uses JavaScript for generating password, you can save the page and run it locally for security reasons.

Please check Apache htpasswd

Answer 2

note: This the encrypted version of my raw password. admin:zv.sqVSz3W1nk

Unix http servers will interpret it as a crypt(3) hashed password, but apache on windows/netware will interpret it as a plaintext password. But I guess your server is a Unix one, so this is probably not the issue.

all my files are prepared in notepad++ & encoded UTF-8 without BOM

Does your password contain some non-ascii characters, like french accents ? Use only 7-bit ASCII characters if you want to keep things simple and cross-browser compatible. See this question