Indiana State University   OIT/Web Development


Password Protecting Your Webpage

Introduction

Restricting webpage access on the basis of userid and password authentication is simple. To restrict access to one of your pages follow the step-by-step instructions, then give the people you wish to view your page the userid and password you created. These userids and passwords are completely within your control and have no relationship to the Unix userids and passwords which are used to log into the machine.

Implementing userid and password restrictions involves a few simple steps. You must be able to log into (using SSH) your web account on one of the ISU Unix web servers (web.indstate.edu; isu.indstate.edu; sapphire.indstate.edu) and use a few basic Unix commands. A basic understanding of the Unix file directory and file structure is helpful.

If you need password access restriction on some of your web pages and you don't feel comfortable setting it up in this Unix environment, you may e-mail web@isugw.indstate.edu to request assistance. We'll be happy to help you or to set it up for you.

Essential Elements

Access restriction is based on the following files which you must create:

  • a special access information file (must be named .htaccess) in each subdirectory to which you wish to restrict access. This is a text file and can be created on your workstation and moved to the server then renamed. Restricted access applies to the subdirectory where the .htaccess file resides and all lower subdirectories.
  • a special password file (suggested name .htpasswd). Although you can have one for each subdirectory you are restricting (by placing them in separate subdirectories or giving them different names), a single password file can be used for all your directories. This file is created with a special command, htpasswd, described in the detailed steps which follow.

Step-by-Step

To setup a single common userid/password combination for access to your pages:

  1. Log in to your web, isu, sapphire account using a Secure Shell Client (Install SSH).

    NOTE: DO NOT use an FTP client as this process will NOT WORK if you do not use SSH. (The .htpasswd file cannot be created from your workstation without using SSH.)

  2. Change into the public_html directory by typing:

    cd public_html

  3. Create the restricted subdirectory you need by issuing the following command:

    mkdir new_directory_name (where new_directory_name is the name of the directory you wish to create)

    For instance, if you wanted to create a restricted directory to be accessed by your Counseling 515 class, you could create a directory called coun515 by issuing the following command:

    mkdir coun515

    (NOTE: This is case sensitive on SSH and also when accessing through a web browser. On the web it would be accessed by going to http://server.indstate.edu/username/coun515/)

  4. Change into the directory to be restricted by typing:

    cd coun515

  5. Choose your userid and password combination(s) and create your password file by entering the following:

    htpasswd -c .htpasswd first-userid

    Replace first-userid with the userid you are allowing to access your pages.
    You will be prompted for a password to assign to this userid.
    (Remember, these userid and passwords are for your use in restricting access to your pages and have nothing to do with logging in or accessing the server in general.)

  6. If you need to add more userids and passwords to your file, omit the -c ('-c' is for creating a new file) parameter or you will overwrite the existing .htpasswd file.

  7. Make sure you are in the directory to be restricted (See Step 4).
    You will need to create a new file with the restricted folder's authorization information. Do this by entering the following command:

    pico .htaccess

    You are now in the edit mode. Type or paste the following into your new .htaccess file:

    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

    <Limit GET POST>
    require user first_userid
    </Limit>
    AuthName Description
    AuthUserFile /www/WEBUSERS/yourusername/public_html/restricted_directory/.htpasswd

    (where "first_userid" will be the userid from Step 5, "Description" will be short description of the protected area, "yourusername" will be your web acount username, and "restricted_directory" will be the path to your restricted directory.)

    Note: The word "Description" can be replaced with a short description or a name of the protected area. But the "Description" needs to be "enclosed in double quotes".
    For instance, if the description for your password protected area is 'Gallery of Images'. Then the AuthName line would be as shown below:

    AuthName "Gallery of Images"

    When the AuthName contains spaces, it needs to be delimited in double quotes, a missing double quote generates a 500 server error message.

    To save your work and exit, press CTRL-X.  Answer Y to the "Save modified buffer?" question.

Changing Passwords

  1. Log into your account using a Secure Shell Client (Install SSH).

    (NOTE: FTP Clients will NOT work.)

  2. Go to the public_html directory by typing:

    cd public_html

  3. Go to the restricted directory (depending on the structure of your website your restricted directory may be located in sub folders) by typing:

    cd restricted_dir (where restricted_dir is the name of your restricted directory.)

  4. Once you are in the restricted directory type the following:

    less .htaccess

    The "AuthUserFile" value tells you exactly where your password file is located. Make a note of this location, and type "q" to exit the 'less' program.

  5. Now that you know where .htpasswd is located, type the following command:

    htpasswd /www/WEBUSERS/yourusername/public_html/restricted_directory username

    Note: "/www/WEBUSERS/yourusername/public_html/restricted_directory"     is the location of htpasswd, copied or typed from "AuthUserFile".

    username is the username you assigned to the restricted directory, if you assigned multiple usernames then enter the username you would like to change the password for.

  6. Enter the new password when prompted.

Glossary of terms on the .htaccess file entries:

  • You can find the full location of your directory for the AuthUserFile line by changing into the correct directory and typing the following:
    pwd
    (this stands for present working directory)
  • In the AuthUserFile entry, /www/WEBUSERS, is the root directory of the server's webspace (on ISU, WEB, and SAPPHIRE) and should be entered exactly as shown, yourdirectory is the name of your departmental or user directory, public_html is the name of the directory that holds the files you wish to be viewable on the web.
  • The descriptive entry value in the AuthName entry is the text that will appear in the prompt for userid and password users will see when they are being authenticated for access to your pages. Do not use double-quotes in or around this entry.
  • The userid entry is the userid that must be entered, along with its associated password, during the user authentication process.
  • Change the directory access mode by entering the following:
    chmod 711 directory_name_here
 
This page is maintained by web@indstate.edu
Last modified: 22-Dec-03

Copyright © 2008 by Indiana State University.