Limiting user access to a web page

The web server we use here at is Apache, which is a very powerful and complex server providing many useful features. Most of these features must be configured at the system level, and users needn't worry about them. There are several things that can be set up on a per-user basis, however.

One of those things is security. For any particular set of web pages a list of users may be defined, and those users given passwords. If someone does not have a user name and matching password, they are unable to see the page.

This is not the most secure mechanism imaginable. The passwords are sent over the Internet as plain, unencrypted text, and may be intercepted between the user and While stored on, they use an old-fashioned and relatively easily broken storage mechanism. If the pages in question require very secure access, this is not an appropriate mechanism. However, for many things it will more than suffice.

Setting the secure directory and files up

  • First create your directory. Make sure it has a name you'll remember easily as being secure. I tend to use <word>secure for my secure directory names.

  • Once you've created the directory, create two files within it: .htaccess and .htpassword. The first file, .htaccess, is responsible for enabling security, and the second file, .htpassword, defines who has access.

  • Last, make your index file for your new secure directory. Make sure everything links up to where you want it to.

The .htaccess file

Open the .htaccess access file. Paste in the following:

AuthName "<Area Name>"
AuthType Basic
AuthUserFile </URL/.htpassword>
require valid-user

Notes on each line:

  • You need to replace the <Area Name> (but not the quotation marks) in the AuthName line with whatever name you're going to use when you define this secure area -- it's what will come up in the login/password box/browser. You can also name more than one page with that name. If you do so, it will only ask for passwords once per session. This way multiple pages can use the same passwords and not be constantly pestering the user for passwords.

  • The AuthType sets the type of authentication to the kind we use. You don't need to do anything with that line.

  • The AuthUserFile line lists the complete path to the .htpassword file to be checked for passwords. Make sure you get it right! It can be anywhere in your home directories, and different files or pages can point to the same one. That means you can have several directories that use the same set of users and passwords. An example for my rdwarf directory:

  • The require valid-user line means a valid username and password is necessary to display the page. Nothing need be changed here either.

The .htpassword file

The following is how to create the contents of the .htpassword file, so that it will manage the .htpassword files for you. Don't open the file to do this -- do it at the prompt line!

  • To create a new .htpassword file and put a user/login word into it:
    htpasswd -c .htpassword <user>

    You'll then be prompted twice by htpasswd for that user/login word's password.

  • To add a user/login word's password to an existing .htpassword file, leave out the -c, which means "create":
    htpasswd .htpassword <next user>

  • To remove a user is a little trickier. You need to open the .htpassword file and edit it. Take out the line that begins with the user's name, then save and close the file.

That's it!