HWG Resources FAQs PUT_YOUR_TITLE_HERE

Password protecting web pages

Table of Contents

  1. Introduction
  2. Apache
  3. IIS
  4. Netscape
  5. Other

  1. Introduction

    Often it is desirable to protect a certain portion of an otherwise private web site. The easiest way to do this is to use the "Basic Authentication" scheme that is built into the HTTP specification. Unfortunately, each web server has their own way of implementing this scheme. They all look the same on the client end - a dialog pops up and requests a username and password, and then lets you in (or not). What follows is instructions to get this working on several of the more widely used HTTP servers out there.

    Table of Contents | HWG-Servers FAQ

  2. Apache

    Since Apache is used on more than 50% of the sites on the WWW, we'll start there. Apache allows you to protect a document, an entire directory, or files that match a certain pattern, and allow them to be accessed by a certain user, a group of users, or users from a certain domain or machine.

    These settings can be made either in the main server configuration files, or in a .htaccess (pronounced "dot H T Access") file in the direcory to be affected. I will assume that the settings will be made in a .htaccess file, since that is the usual way of doing this.

    There are several steps in the process, and you need to do those ones that apply to your situation, and the effect that you are trying to achieve.

    First you will need to create a .htpasswd file, containing the names and passwords of the users that will need to have access to the site. On Unix systems, the password is encrypted, and must be created using the htpasswd program. Typing "htpasswd" at the command line will produce the output:

    Usage: htpasswd [-c] passwordfile username
    The -c flag creates a new file
    

    If you get a "Command not found" error message, contact your sysadmin.

    ALWAYS put the password file outside of the document root of your server. I typically put the file in a directory called "passwd" that is on the same directory level as the htdocs directory. This is so that malicious persons cannot download my password files for perusal at their own leisure.

    It is conventional to call the file ".htpasswd" Thus, to create a new password file with your username and password in it, type:

    htpasswd -c .htpasswd myusername

    You will them be queried for a password, and then asked to confirm that password. If you look at the file that was created, it will contain a line that looks something like:

    myusername:WPKOMv50Rqnk2

    You can add additional names to the file by repeating the command without the -c switch.

    On Apache for Win32, the passwords are encrypted using the MD5 algorithm, rather than the Unix crypt algorithm, so the password file will look a little different.

    If you wish to add several of the users to a group, create another file called .htgroup, with entries in it like:

    group: user1 anotheruser myusername

    You next step is to actually protect the directory or file(s) in question.

    In the directory to be protected, create a file called .htaccess, and put something in it like:

    AuthUserFile /home/www/passwd/.htpasswd
    AuthGroupFile /home/www/passwd/.htgroup
    AuthName Protected
    AuthType Basic
    require group groupname
    

    In this example, the directory requires the user to be a member of the group "groupname". The AuthName is the word that will appear on the authentication dialog. AuthType must be Basic, since no other authentication schemes are supported at this time.

    To allow just one username, rather than a whole group, use the following:

    AuthUserFile /home/www/passwd/.htpasswd
    AuthGroupFile /dev/null
    AuthName JustMe
    AuthType Basic
    require user me
    

    For more information on protecting just one document, or a set of ducuments matching a particular pattern, see the Files and FilesMatch directives on the Apache Core Documentation page.

    Table of Contents | HWG-Servers FAQ

  3. IIS

    Just so there is no chance of ambiguity, let me say up front that I feel that the way that IIS has chosen to do HTTP authentication is very broken. OK, that's out of the way ...

    In order to password protect documents using IIS, you have to actually create accounts on the NT machine. You then assign permissions to the various documents so that those users have permission to read those documents. While this sounds simple enough, keep in mind that this means that user accounts and passwords are being passed across the Internet in plain text. Of course, this is also the case with ordinary Basic Authentication, but with other HTTP servers, intercepting this name/password pair simply means that you can access those web pages, while with IIS it means that you might actually be able to log into the NT machine running the HTTP server.

    IIS also has an authentication scheme called "NT Challenge and Response", which uses some variety of encryption with the password. However, this is not supported by the Netscape browser, and is not part of the HTTP standard, so should not be used unless you are sure that all of your client browsers will be IE.

    Table of Contents | HWG-Servers FAQ

  4. Netscape

    The Netscape family of HTTP servers have a GUI for setting permissions on files and directories, and for creating authentication accounts and groups. This can be accessed via the ordinary adminstration interface. Unfortunately, I am no longer running Netscape servers on any of the machines that I have access to, so I am not sure of the tab that you need to go to to make these settings.

    The 2.x servers also had some command-line utilities in a directory called "Extras" that allowed you to add/edit/remove login accounts and group. This was very handy, as it allowed you to make these changes via CGI programs as well. Unfortunately, these utilities were no longer available in the 3.x versions.

    Also, by way of another disclaimer, I should add that in version 3 of the various servers, Netscape changed the way that it did a lot of things, and that is about the time that I stopped using Netscape, so I am not sure how that is done in the new versions.

    Table of Contents | HWG-Servers FAQ

  5. Other

    Since there are dozens of other HTTP servers out there, I do not pretend that this is a comprehensive guide. I would also like to add a section on O'Reilly WebSite, but I do not have access to a WebSite server. If you know how to do this on WebSite, please write something up and send it to me.

    And, each other server out there has its own way of doing things, so your best bet is to read the manual that came with your server, or get another server.

    Table of Contents | HWG-Servers FAQ


[Valid HTML 4.0!]
This page is maintained by Rich Bowen. Last updated on 22 December 1999.
Copyright © 1998 by the HTML Writers Guild, Inc.