Password protected web content

How do you use access control with WhizBase? We get this question very often lately, so I'll try to explain basics here and to provide some sample code that you can modify and use for your own needs.

WhizBase uses its own, built-in access control system. It has three types of authentication (cookie, basic and digest). While digest is the most secure, basic is most common and cookie does not require any web server configuration, so everyone will chose the type that works best for his needs.

In all cases we need an access configuration file that contains basic authentication settings and a list of authorized users. It can be saved with any extension but we strongly recommend that you use .wbsp (same as other WhizBase script files) for security reasons.

Its basic structure looks like this:

WB_Realm=Sample page protection


If you saved the file as WhizBase script (.wbsp), then you should also add following (after the code above):

This is <b>not</b> a public document!<br>
Please do not attempt to download it!<br>
Your IP address <b>$wbe[REMOTE_ADDR]</b> is recorded in our log file!<br>
Thank you!

This will hide your authentication settings even from authorized users.

Now assuming that you saved this file as myfirsthtaccess.wbsp in directory “loginfiles” located in document root directory (http://yourdomain/loginfiles/) you should add following line in [FormFields] section of every .wbsp script (page) you want protected:


To protect entire directory simply add WB_HTAccess= /loginfiles/myfirsthtaccess.wbsp to [FormFields] section of file in that directory.

Now let's analyze file myfirsthtaccess.wbsp. In section [Authentication] we configure authentication type (in this case we use B for basic authentication), set the authentication realm (a description of the server or site area being accessed) and option to scramble saved passwords.

Section [AuthUsers] contains usernames and passwords for all authorized users in form of pairs:


While usernames are not case sensitive, passwords are. Although we always add password as plain text, it will be scrambled after first use if WB_Scramble variable is set to true (in section [Authentication] mentioned above), so it will look like this:

WebUser=  %1F%15%13*%0A%01%16Mr%12%14%1F

Section [FormFields] and an HTML code are added to protect your data from being read as web page.

This method protects only WhizBase scripts, but it can easily be modified to protect your other files (images, archives, documents, videos, etc.) from unauthorized access. For instructions how to protect non-wbsp files please email us at

Update: Apache server overtakes basic and digest authentication and does not send credentials to WhizBase, so the only type that works with Apache is cookie authentication. Note that cookie authentication requires cookies to be enabled in visitor's browser.

Whizbase lite