Owner Controlled Web Page Security

Overview of Password Protecting a Web Folder

This document describes how the individual owner of  web pages can restrict access to others by username and password. This is done by using .htaccess controls and securing web documents on a per folder basis. The web page owner controls access to others by using the .htaccess controls and the procedures described in this document.

.htaccess controls require that you create three files and FTP them to your web server.

  1. The .htaccess file contains the control commands. You put the .htaccess file in the folder you want to protect. 

  2. The .htgroup file tells who actually has access to the secured folder by username, these are the user ID's you are creating to distribute to others. Never put the .htgroup file in a web-accessible tree (i.e. don't place it in the /web/ folder or any  folders below).

  3. The .htpasswd file contains the usernames (ID's) and the encrypted passwords for those users you wish to allow access to your protected web folders. Never put the .htpasswd file in a web-accessible tree (i.e. don't place it in the /web/ folder or any  folders below).

 

Requirements

Steps to Protect a Web Folder

Creating the .htaccess file

  1. Open a blank page in a simple text editor such as MS Windows' Notepad or the Mac's Simple Text. The .htaccess file must be a text file (not a formatted document such as MS Word, WordPad, etc.)
  2. Type in (or copy and paste) the following information, substitute the bold italic variables for your specific information (i.e. /xxxxxxxx should be your account name).

    AuthType Basic
    AuthUserFile /local/www/home/xxxxxxxx/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Site Login" or Login

    require user username

    The statements in the above .htaccess file are described below, including the appropriate syntax (e.g. spacing, etc.)

    AuthType Basic Defines the level or type of security that is being used, there should be a space before the word Basic.
    AuthUserFile /local/www/home/xxxxxxxx/.htpasswd Indicates where to find the .htpasswd file, we recommend placing it in your home/root folder but if you prefer to place it elsewhere-type in your preferred location here. Be sure to use the .htpasswd name exactly (with the (.) period leader) in all lower case. There should be a space after the word AuthUserFile.
    AuthGroupFile /dev/null This statement is a variable used for creating group ID's and passwords.  It is not used for creating a single user-name and password detailed here so copy the statement exactly as written.  There should be a space after the word AuthGroupFile.
    AuthName "Site Login" or Login This statement ("Site Login" or Login) will be the title of the password box that will display to prompt your users for their login ID and password. There should be a space following the word AuthName. If you want to use spaces within the name (e.g. "Site Login") you must enclose the name within quotes (i.e. "Site Login") or you will receive a server error.  If you use a single word name (e.g. Login) do not enclose the name in quotes.  There should be a space after the word AuthName.
    require user username Username is the name of the ID that is specified in the .htpasswd file (see below).  There should be a space after the word require and after the word user.
  3. Save this file with the name of .htaccess - when saving the file just type .htaccess for the filename with no extension. 

    NOTE:
    Many text editors will automatically assign an extension, often .txt. Because of this you may need to rename the file after you have transferred it to the server. 
  4. FTP the .htaccess file from your computer to the folder (directory) within your account that you wish to protect.

NOTE: Remember to verify the file name is .htaccess without an extension. If it has an extension, rename it with your FTP tool, for example WS_FTP has a Rename button on the Remote Site half of the window. This button will allow you to rename the selected file.

Creating the .htpasswd File

The password within the .htpasswd file is encrypted.  Because of this there is an extra step that must be done when creating the .htpasswd file. This extra step is generating the encrypted password. 

Encrypting a password is done easily by using the .htpasswd Password Generator utility. The steps below walk you through the process of creating the .htpasswd file by using the password generator tool.

  1. Open a blank page in a simple text editor such as MS Windows' Notepad or the Mac's Simple Text. The .htaccess file must be a text file (not a formatted document such as MS Word, WordPad, etc.)
  2. Using your web browser go this URL and follow the instructions on the screen  --  http://www.uiowa.edu/~uiweb/centralserver/password.shtml
  3. If you followed the instructions on the above URL (Password Generator page), you should have copied the username:password that was generated to the .htpasswd file (which at the time was just a blank page in your text editor).
  4. Save the text file you just created  Be sure to name it .htpasswd  Don't worry about the gibberish looking text, that's okay-it's the encryption that was done with the password generator tool.
  5. FTP the .htpassword  file from your computer to your account. Be sure to put this file in a folder that is not accessible to others -- it is recommended to place the .htpasswd file in your home folder or root directory.  If you prefer you can place the file (.htpasswd) in a different folder other than your home folder, however, if you do this be sure that path is referenced correctly in the AuthUserFile statement of the .htaccess file.

    NOTES:

    1. Remember to verify the file name is .htpasswd without an extension. If it has an extension, rename it with your FTP tool, for example, WS_FTP has a Rename button on the Remote Site half of the window. This button will allow you to rename the selected file.
    2. When saving the file just type .htpasswd for the filename with no extension. Many text editors will automatically assign an extension, often .txt. Because of this you may need to rename the file after you have transferred it to the server.
    3. When generating the password please note that passwords have an effective limit of 8 alpha-numeric characters.

Testing your Security

Now that you have created your ID, password and secured your folder(s), you should test it to be sure it works before you start distributing the ID to others. This is done by simply using your browser, going to your URL and use your new ID's and passwords to see if you get proper access.


Figure 3: The login dialog box that is presented to your users when they try to access your web folder(s).