A simple way to password protect your Magento store

March 20, 2009

This post will describe a simple technique to secure your Magento virtual host with basic HTTP password protection provided by Apache. This can be useful if you want to keep users away from the webstore during development, or if you sell products wholesale and do not want unauthorized users to view your catalog/pricing.

To be very clear from the outset, this technique uses basic HTTP authentication, which if used over HTTP (rather than HTTPS) affords no security for the passwords while they are in transit across the internet. If you are interested, you can learn more about the limitations of basic access authentication. As a simple mechanism for keeping people out of a site, it will do just fine. If you store your nuclear missile access codes in a Magento store database, do not use this technique to protect them, please.

Normally when I’m developing a new site I just use virtual hosting and a modified operating system hosts file to prevent people visiting it while it’s in development. I realize that’s not really security, more obscurity, but it has worked fine for me in the past.

Recently I have had a need to more fully protect a site, but also to make it public via DNS records. In a nutshell the steps required are, configure virtual hosting for your webstore, configure Apache authentication, setup a user/password and reload apache. I’ll run through everything in detail below.

Configure virtual hosting for your webstore

I won’t go in to details here about how to set this up, I have a tutorial on configuring virtual hosts for MAMP on a Mac and it’s not really different across other platforms.

Let’s just say you have a virtual host such as this configured:

<VirtualHost *:80>
ServerName distribution.example.com
DocumentRoot /var/www/distribution.example.com
</Virtualhost>

Configure Apache authentication

The configuration change is quite simple on the Apache side of things, place the following Directory block into you VirtualHost block.

<Directory "/var/www/distribution.example.com/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride all
        AuthName "Wholesale Buyer Access"
        AuthType Basic
        AuthUserFile /etc/apache2/wholesale_buyers.htpasswd
        Require valid-user
</Directory>

The important things to note here, the AuthName i.e ‘Wholesale Buyer Access’ string is what users will see on the browser prompt that pops up asking for a password. The AuthUserFile is the file that stores the usernames and passwords for the Secure area. Place this Directory block into the VirtualHost block like so:

<VirtualHost *:80>
ServerName distribution.example.com
DocumentRoot /var/www/distribution.example.com
<Directory "/var/www/distribution.example.com/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride all
        AuthName "Wholesale Buyer Access"
        AuthType Basic
        AuthUserFile /etc/apache2/wholesale_buyers.htpasswd
        Require valid-user
</Directory>
</Virtualhost>

You can see clearly that the directory has to match the document root of the virtual host for this to make sense. Note that this same configuration can be applied to non-virtual host configurations, you basically just do not place the Directory configuration inside of a VirtualHost.

Setup a user/password

To add a password to the Apache file you use a command line utility called htpasswd.

# Touch the file to create it
# It'll save you accidentally wiping out your passwords using the -c option to htpaswd.
touch /etc/apache2/wholesale_buyers.htpasswd
# Run this command once for each user you want to grant access to the store.
# Put your desired name in place of 'your_name', obviously.
htpasswd /etc/apache2/wholesale_buyers.htpasswd your_name
# Lock the file down
chown root.root /etc/apache2/wholesale_buyers.htpasswd
chmod 644 /etc/apache2/wholesale_buyers.htpasswd

Reload apache

Now all that’s left is a quick reload of Apache configuration files. If you do not use a Debian-based distro (such as Ubuntu) then your control of Apache may be different to what I’m describing here. If you do, lucky you, you can copy past your way to a secure Magento store!

/etc/init.d/apache2 force-reload

With these simple steps you can protect your Magento store with a basic HTTP password. Remember though that HTTP basic authentication over non-HTTPS connections is no substitute for real security, but it will at least let you control who can access your store, during development, or once it is running in production mode.

Ashley

Posts

Hi! I'm Ashley Schroder, a Software Engineer from New Zealand - this is a collection of notes on my experiences with Ecommerce Web Development, particularly Magento Development.

Are Your Customers Getting The Magento Emails You Send?

MageSend Magento Email sending with Amazon SES

I have made a premium Magento Extension called MageSend. MageSend makes it simple and easy to send using Amazon's highly reliable SES email service.

The extension is $99, and comes with a complete money back guarantee, please check it out, I am confident it will resolve any email sending problems with your Magento store.

5 responses to A simple way to password protect your Magento store

  1. Do you know if there is way to password protect a single store within a web site?

    For example, if we have the following structure

    Website
    – Public Store
    —- English Store View
    —- French Store View
    – Private Store
    —- English Store View
    —- French Store View

    Is there a way to force password access to Private Store?

    The problem we’re trying to solve is that we want certain products to be available only to a select group (redirected from another web site). The solution (a bit of a hack) is to set up those products only in the Private Store. We’d like to limit access to Private Store to those who have been given a username/password combination.

    Any ideas?

  2. It is posible to only protect subdirectories – I assume the stores are
    accessed as subdirecories? Or are they subdomains?

    I had a great deal of trouble (and eventually gave up) trying to
    ‘unprotect’ a particular subdirectory. In reverse though it should be
    easy, just only restrict access on a particular directory or
    subdomain.

    Let me know a bit more about your config and I could post a howto for it.

  3. Hi,

    I am using the multiple website setup with subdirectories and I have been successfull at protecting my subdirectory, but I am constantly prompted multiple times for the username/password as I navigate the store. For example, if I go from the root of my store ‘/store1/’ to the cart page ‘/store1/checkout/cart/’ I am prompted again. Why is this if I setup the authentication at my store’s root level?

  4. I had the same problem as greg, though oddly it only asks for the auth repeatedly in firefox. safari and chrome work fine. Not the end of the world but it is weird

  5. I’m wondering how this site has progressed with HTTP auth applied.

    In recent times I have protected the development version of two magento instances prior to live using this method.

    I always run into issues… Such as:

    Files referenced within CSS have full URL’s from the secure https url (if you have one in place) fail to authenticate breaking design.

    Uploading product images fail due to Flash uploader.

    Plus more…

    Normally all of the problems disappear as soon as I disable the HTTP auth basic.

    I’m interested to hear if this site function completely correctly and is still deployed within this context.