Password Protecting an Area of your Web Site

Problem:

How can I password protect an area of my website?

---

Solution:

Create an .htaccess File

An .htaccess file must be created in the directory that the user wants to secure. (Multiple directories can have .htaccess files, but there can only be one .htaccess file per directory.)

Important:Access restriction applies to a certain directory, not a certain file or HTML document. Documents that are to be restricted should be put in directories separate from those you want unrestricted.

While in the directory you want to secure, create/edit a file called .htaccess using your favorite text editor.

AuthUserFile /www/users/andyh/private/.htpasswd (path to .htpasswd file)
AuthGroupFile /dev/null (path to .htgroup file)
AuthName "Secure Area" (title for dialog box)
AuthType Basic
require valid-user


(Access alternatives)

Create an encrypted password

The .htpasswd file should contain a list of usernames and passwords. The format of the password file is straightforward, one line per user, with the line containing the user name, followed by a colon, followed by the user's password encrypted with the standard Unix password encryption.

In other words, an .htpasswd can look like this:

testuser1:jKXVnZH6eXR7
testuser2:taeWr6tbTZKO6

with one line for each user.

To generate an encrypted password, visit https://www.isye.gatech.edu/intranet/modules/encrypt/
- Type in a username and password to use.
- Copy the DES encrypted password into your .htpasswd file
- For additional users, use the form again and add a line for that user to the .htpasswd file.

Check File Permissions

Make sure both the .htpasswd and .htaccess files are readable by the web server (chmod og+r .htaccess .htpasswd)

Additional Sources of Information

• Apache HTTP documentation (http://httpd.apache.org/docs/howto/auth.html)
• ApacheWeek article (http://www.apacheweek.com/features/userauth)
• Zend article (http://www.zend.com/zend/trick/tricks-august-2001.php)

---

The "Limit" Statement

The set of instructions that are placed between the and statements determine how the directory can be accessed.

Here are some example situations that require different sets of instructions:

• Allow access to a single user: require user [username] where username is an entry in the .htpasswd file.

• Allow access to a group of people: require group [groupname] where groupname is the name of a group in the .htgroup file.

• Allow access to any user inside a certain domain:

  order deny,allow
deny from all
allow from [domain name]

  where domain name is the name of the domain to allow access to (e.g. isye.gatech.edu)

• Deny access to any user inside a certain domain:

order allow,deny
allow from all
deny from [domain name]

where domain name is the intended domain name to deny access to.