View Full Version : Can AuthUserFile in .htaccess use a relative path?

12-04-2008, 12:15 AM
I'm using .htaccess to password-protect some pages. The password file is specified with the AuthUserFile value, for example:

AuthUserFile "/home/sites/myusername/httpdocs/.htpasswd"

Now, by using this absolute path, the site cannot easily be moved to another account or even another server or hoster without changing stuff manually, because the above path won't be valid there. I'd have to manually inspect all .htaccess files in the entire site, and change the paths accordingly.

Therefore, I'd prefer to use something like:

AuthUserFile "../.htpasswd"


AuthUserFile "%{DOCUMENT_ROOT}/.htpasswd"

or whatever would be relative to my site's local folder. But I can't get this to work.

Is this actually possible, or does .htaccess really ONLY allow absolute paths? :(

(note: The %{DOCUMENT_ROOT} thing actually gives what I need in RewriteRule, can't that be used with AuthUserFile??)

12-04-2008, 01:53 PM
AFAIK, it should be an absolute path. I can't find the info from the apache docs, though an .htaccess file is just an extension of your server's conf file. Thus we may need to follow the same rules here also.

The AuthUserFile directive specifies the path to the password file. This must be specified as an absolute path -- if specified as a relative path, the web server will look in its root directory, which is not where your content resides.

12-04-2008, 03:56 PM
Well, the apache documentation (http://httpd.apache.org/docs/1.3/mod/mod_auth.html#authuserfile) says:

If it is not absolute (i.e., if it doesn't begin with a slash), it is treated as relative to the ServerRoot.

But I'm not sure what 'ServerRoot' would be.

Besides, if %{DOCUMENT_ROOT} would work like it does with mod_rewrite (in RewriteRule etc), that is an absolute path so that might have done the trick. Except it doesn't...? :rolleyes:

10-12-2011, 07:27 PM
Granted the thread is old, but the problem still floats around.

For those who still have this issue of finding their AuthUserFile absolute path to their web space (because your web hosting site is unable to), you can make a simple php file and run it from your site to find the answer.

Use notepad and make a file called myroot.php (or any filename with the .php extension)
copy the following code into the file
<title>Getting your AuthUserFile root location</title>
echo “<h1>Your website root location is --> “;
echo “ <--</h1>”;
Remember to save, and then upload it to your webspace, and run it from a browser on your webspace and copy the path to somewhere safe (and then remember to get rid of the file when you are done using it so a hacker cannot find your AuthUserFile absolute path for your web space).

It'll display the absolute path where your publically accessible webpages are kept, and more often your FTP can upload to one level up (which is a good spot for keeping password files, or making a folder from that level where the public cannot access, but since the AuthUserFile specifies an absolute path on the hard drive, you can choose a folder that you can only get to with an FTP application).

I've had a few ISP that had no clue where the site hosting was being done, much less the absolute path for my webspace, so I setup a little page for people wanting to try using htaccess.


It provides simple examples which can often be the best to get people started, especially taking the time to explain how and why.