• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 204
  • Last Modified:

password protect directory during certain hours


I've got a website on apache.  One of my directories is password protected.  I'd like to restrict access during certain hours of the day for specific users.  Any idea how i can do this?

Eg. UserX can only have access between 8am - 1pm.

  • 4
  • 2
1 Solution

I know for a fact that this can be done with mod_rewrite.  Two server 'variables' are available to the rewrite engine that you would probably be interested in:

TIME_*  (TIME_YEAR, TIME_MON, TIME_DAY, ...)  (obviously these represent time in various aspects)

REMOTE_USER  (this would have the username of the user who had authenticated to your password protected directory).

I would imagine something like this in your httpd.conf or .htaccess file in the password protected directory:

RewriteEngine On
RewriteCond %{TIME_HOUR}%{TIME_MIN} < 0700
RewriteCond %{TIME_HOUR}%{TIME_MIN} > 1900
RewriteCond %{REMOTE_USER} = "user1" [OR]
RewriteCond %{REMOTE_USER} = "user2" [OR]
RewriteCond %{REMOTE_USER} = "user3"
RewriteRule ^.*\.html$ restricted.html

You can probably find all the info you need from these two pages:


The rewriting guide has an example of basically the above.

So you know, I haven't tested this setup. ;)

One other thought...

The Squid proxy server can be run as a 'reverse proxy', meaning it's basically an httpd accelerator.  It has a lot of powerful features to describe when a certain resource is available or not.  You could easily place the squid server logically in 'front' of your apache server, and load both the authentication and time aspects into it.  This also gives you the added bonus of the powerful cacheing engine as well.  Something to think about at least.


an interesting note regarding my rewrite suggestion comes from the rewrite documentation...

There is the special format %{LA-U:variable} for look-aheads which perform an internal (URL-based) sub-request to determine the final value of variable. Use this when you want to use a variable for rewriting which is actually set later in an API phase and thus is not available at the current stage. For instance when you want to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you have to use %{LA-U:REMOTE_USER} because this variable is set by the authorization phases which come after the URL translation phase where mod_rewrite operates. On the other hand, because mod_rewrite implements its per-directory context (.htaccess file) via the Fixup phase of the API and because the authorization phases come before this phase, you just can use %{REMOTE_USER} there.

So, if your password protected directory is in the .htaccess file, you're safe.  However, if it's in your httpd.conf file, you're going to need to use %{LA-U:REMOTE_USER} instead.

alexzaleskiAuthor Commented:
Thanks bobsledbob i'll give that a try. The directory I'm trying to protect is https://mysite.com/safedir

This dir has a .htaccess file in it with the authorized users in the file. Is this where you suggest the Rewrite occur?

The other hack, though much less elegant I thought about was a cronjob that would replace the .htaccess file with the appropriate one when needed and then restore the original when needed.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Your rewrite statements could go in either your .htaccess or your httpd.conf file.  If you don't have root access, then you have to put it in your .htaccess file.

Ya, using a cron job would be yucky.  But, it would definetly work.  :)

alexzaleskiAuthor Commented:
bobsledbob - your suggestion was right on.

Here is the exact syntax I used.
# Redirect demo2 if time before 11am and after 2pm
RewriteEngine on
RewriteCond %{TIME_HOUR}%{TIME_MIN} <1100 [OR]
RewriteCond %{TIME_HOUR}%{TIME_MIN} >1400
RewriteCond %{REMOTE_USER} ^demo2$
RewriteRule ^(.*) http://yahoo.com [L]

Thanks Alex


Looks real good.  Nice job.  Short window of opportunity for demo2 (only 3 hours). ;)

Take care,



Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now