How to Password Protect Your Web Site
Copyright © 1999 by Eureka! Internet Services Last Revised: November 25, 1999
Table of Contents
- Password Protection at Your Web Site
- Why Password Protect a Directory?
- About Telnet Access and the Unix Command Line Shell
- The .htaccess and .htpasswd Files
- How to Create the .htaccess File
- How to Create the .htpasswd File
- Testing the Password Protected Directory
1. Password Protection at Your Web Site
The Apache, NCSA, and Netscape web servers, as well as several other popular web servers, allow you to password protect one or more directories at your web site. You can password protect directories, not individual files. When an internet user tries to enter the directory that is password protected the user will be required to enter a valid user ID and associated password in order to gain access. This type of password protection is not bullet-proof, as a determined hacker can probably break into the directory. On the other hand, it will stop non-technical users from gaining unauthorized access to the protected directory.
2. Why Password Protect a Directory?
This can be useful in several situations. For example, you might want to maintain a password protected directory at your web site where only paying customers with valid user ID's and passwords can gain access. You would sell "accounts" to customers at your main, unprotected directory and then give them ID's and passwords for the protected directory. Another nifty use for password protecting directories is when you want to create a "private download" area at your site for friends, relatives, or special clients.
3. About Telnet Access and the Unix Command Line Shell
This tutorial requires you to use a "telnet" program to remotely login to the server using your user ID and passsword. You can use the telnet program that is bundled with Windows 95/98/NT for this purpose. Later in this tutorial (see section 6), we will show you you how to use telnet to gain access to your directory on the server computer and how to enter certain useful unix commands.
4. The .htaccess and .htpasswd Files
The first file you should create is called ".htaccess". You create this file using your favorite text editor. You then use FTP to upload this file to the directory on the server you want to password protect. The .htaccess file contains the password protection configuration statements.The second file you need to create is ".htpasswd". You create this file using a Unix command line utility called "htpasswd". This file contains the name and password of each user that is allowed access to the password-protected directory. The passwords are encrypted for security.
5. How to Create the .htaccess File
Using your favorite text editor, create a text file called ".htaccess" that looks like the following:
AuthName Private_Site AuthUserFile /home/httpd/html/www.yourdomain.com/.htpasswd AuthType Basic <Limit GET POST> require user username1 require user username2 require user username3 </Limit>Let's look at each statement in this file:AuthName. This line sets the "title" of the dialog box that pops up when the user tries to enter the password protected directory. You can type in anything that is appropriate as long as there are no spaces in the title.
AuthUserFile. This line sets the full Unix pathname to the ".htpasswd" file (which you are going to create in a few minutes). The ".htpasswd" file, remember, will contain a list of valid user names and passwords. Generally, this file is kept in your home directory, as indicated in the above example. On our server, the full Unix pathname to your home directory will be like so (substitute your domain name for "yourdomain.com"):
/home/httpd/html/www.yourdomain.comIf in the future your forget the pathname to your home directory you can always figure it out. Just telnet (see the discussion of telnet in section 6) to your home directory on the web server and issue this command from the Unix prompt:
pwd
The "pwd" command will show you the full pathname to your home directory starting at the system's root directory. Jot down the pathname that pwd gives you and add ".htpasswd" at the end of it.
AuthType. This sets the kind of authorization you want to use. This is kind of technical. For our purposes, all you need to know is that you set this line to "Basic".
<Limit GET POST>. This HTML-ish statement sets the type of http request that will require a user ID and password when the request is used on the protected directory. GET and POST are the two methods by which an http server can provide access to a directory to an internet user. Set both GET and POST in your limit statement and you restrict both kinds of access. The words "GET" and "POST" are case sensitive - they have to be in all capital letter.
require user username1. This statement (and the next two as well) tell the web server that a "valid" user, and an associated password, is required before the directory can be accessed. For each unique user you want to have access to the directory, add a "require user" to the .htaccess file, along with the desired user name. For example, to allow user "bob" access to the directory, add this statement to the .htaccess file:
require user bob
You will create a new user called "bob" when you create the .htpasswd file later in this tutorial.
A less tedious way to create valid users in the .htaccess file is to simply use the statement:
require valid-user
Instead of having a separate line in .htaccess for each user, you simply use this statement, which says to the web server, "allow access to all of the valid users in the .htpasswd file".
</Limit>. This statement simply "closes" the limit statement. It works much like a closing "container" tag in HTML.
That's it. Use your FTP program to upload this file into the directory you wish to password protect.
6. How to Create the .htpasswd File
First, telnet to the server using the Windows 95/98/NT telnet program:
You should now be at the Unix prompt. Your prompt may look something like this:
- Click on "Start".
- Click on "Run".
- Fill in the dialog box with "telnet"
- Click on OK.
- Click on "Connect".
- Click on "Remote system".
- Fill in the "Host Name" with "eurekais.com".
- Click on "Connect".
- When prompted, fill in your login name and hit enter.
- When prompted, fill in your password and hit enter.
"Try not. Do or do not! There is no try." -- a certain Jedi Master from Dagobah login: s12 Password: Hi, Student12! Hope you're having a nice day . . . [s12 ~]$You are placed, by default, in your "home" directory as soon as you login. Type "ls -la" and hit enter to see a directory listing in your home directory. You may see something like this:
[s12 ~]$ ls -la total 15 drwxr-xr-x 5 s12 s12 1024 Nov 26 03:51 ./ drwxr-xr-x 54 root root 2048 Nov 21 22:26 ../ -rw-r--r-- 1 s12 s12 1155 Mar 3 1999 .Xdefaults -rw-r--r-- 1 s12 s12 24 Mar 3 1999 .bash_logout -rw-r--r-- 1 s12 s12 230 Mar 3 1999 .bash_profile -rw-r--r-- 1 s12 s12 124 Mar 3 1999 .bashrc -rw-r--r-- 1 s12 s12 3336 Mar 3 1999 .screenrc drwxr-xr-x 2 s12 s12 1024 May 24 1999 cgi-bin/ drwxr-xr-x 2 s12 s12 1024 Nov 24 09:56 logs/ drwxrwxr-x 2 s12 s12 1024 Nov 26 03:51 vault/ [s12 ~]$(Note: If the directory listing scrolls by too fast and you can't see the top of the directory listing when the command is finished, add the " | more" option to the command, like this:
ls -la | moreHit the space bar to page through the listing.)
The "vault" directory, in this example, is the directory you want to password protect. It is the directory into which we have uploaded the ".htaccess" file discussed previously.
To create the .htpasswd file we run a program called "htpasswd". Type in
htpasswd -c .htpasswd boband hit enter. When prompted, enter a password for the user "bob".
This will create a brand new .htpasswd file in the current directory. The .htpasswd file will contain one user ID, "bob", and the password that you entered, in encrypted form. The "-c" makes this file overwrite any existing ".htpasswd" file (if one exists). Use the "-c" option only when you are creating the .htpasswd file for the first time. This user should correspond to a user that you "required" in your .htaccess file. (If you used the "require valid-user" statement in your .htaccess file, then any user you create using htpasswd is "valid" for the .htaccess file.)
If you want to add another user to the .htpasswd file, just type the htpasswd command again, but, this time, omit the -c option so that you don't overwrite your existing file:
htpasswd .htpasswd bubbaWant to change the password of an existing user? Easy enough. Just run htpasswd again, but this time specify an existing user name:
htpasswd .htpasswd bobHtpasswd will recognize the user as an existing user and will simply prompt you to change the password.
Want to delete a user from .htpasswd? That's a little harder. Now you have to hand edit the .htpasswd file. Let's use "pico", a popular Unix text editor to do this. Type in:
pico .htpasswdand hit enter. If you have added a few users to .htpasswd, you should see some lines of text that look like this:
bob:BpqXksG.hwQWc bubba:LxxBcTxU2Ck/cYou will see the user names, in the order in which you added them, followed by a colon and some gibberish. The gibberish is the password you entered, but it has been encrypted for security purposes. To delete a user from the .htpasswd file, just delete the line that contains the user's name. Deleting a line in pico is easy. Just position your cursor at the beginning of the line you want to delete. Press "Ctrl-k".
Finished deleting users? Press "Ctrl-x" in pico to save the .htpasswd file. Pico will ask you to "Save modified buffer?" Type in "y". Pico will ask you to write the file. Hit enter. You will now be back at the Unix prompt.
When you are finished with your telnet session, type in
exitand hit enter to disconnect from the server.
7. Testing the Password Protected Directory
Hey, let's test out this new password protected directory! Start your web browser. Point it at the directory that is password protected. The web browser should pop up a window in which you must enter a user name and a password. Enter a valid user name and a password and see if you can get access. Yes? Great!Have fun!