How to use .htaccess files with claroline?

From ClarolineDoc

During install an .htaccess file is created to protect Platform Administration section

This file contain theses lines 

AuthName "Administration Claroline"
AuthType Basic
Require valid-user
AuthUserFile "/a_path_to_the_password_file/.htpasswd4admin"


Table of contents
1 What to protect ?
2 How ?

2.1 Claroline use 2 devices
2.2 Code

[edit]

What to protect ?

  • /claroline/admin
  • /claroline/install
  • /claroline/include ou /claroline/inc
  • /claroline/lang
  • /archive
  • /claroline/garbage
  • /claroline/course_home/course_home.php
  • /claroline//doc
  • /claroline/sql
[edit]

How ?

Official : http protection .

[edit]

Claroline use 2 devices

  1. . Your user account in claroline to set uid in session (needed for some action in the admin section)
  2. . Apache protection to really protect theses directories

Why 1° is not enough ? Because it required that mysql is running and that claroline is correclty configured.

That's why Claroline provides an .htaccess to protect the install and admin directories (it's later that we realized that there were not only one directory to protect)

This .htaccess protect these sections by password. The password file is called .htpasswd4admin. You can fill it by a tool in admin or in shell command line with htpasswd. We're aware that some providers still give hosting without access to system directory up to document root of hosting. So .htpasswd4admin is in /claroline/admin/. But it's better to move it in a directory out of you web space. If you can do'it , change the path in .htaccess.

And if .htaccess doesn't work ? Actually, The Claroline admin script doesn't search for an .htaccess, but it checks if you are 'http/auth' valid. This means that if you remove .htacces and set protections in Apache conf ... That's ok. If the Claroline admin script finds a valid name in $HTTP_AUTH_USER it knows that http proctection works and have done his job. If the script run and $HTTP_AUTH_USER is empty, there is a big problem. The script is unprotected.

[edit]

Code

/*--protectAdminIndex--*/
if (   ("apache" ==  strtolower(substr($_SERVER['SERVER_SOFTWARE'],0,6)))
Retrieved from "http://doc.claroline.net/en/index.php/How_to_use_.htaccess_files_with_claroline%3F"