Creating password protected folders using htaccess
on the BC personal Web server
Important: This method of password
protecting folders does not provide protection for highly secure information.
It is mainly to
keep
more
casual
users from accessing a page through a Web browser. See the limitations
to this method of authentication for details.
On this page:
Part 1: Create a password file and put it on the server
To create a password file and put it on the server:
- Windows - Open Notepad: Click Start,
point to Programs,
point to Accessories, then click Notepad.
Macintosh - Open Text Edit: Double-click your Macintosh
HD icon,
then double-click the Applications folder, then double-click
the TextEdit icon.
- Open a new blank file and name it: htpasswd
- Set up one or more username/password combinations using one of the following
sites that can generate encrypted
UNIX passwords:
- From the form, copy and paste the username/password combinations into your
htpasswd file, noting the following:
-
Each username/password combination should be on its own line.
- Put nothing else in this file.
For example: joeuser:33dJ3Dq1oYPd2
- Using FTP, upload the htpasswd file
to your /usr/users/bcusername/ folder
on the www2.bc.edu server.
Important:
- Be sure the FTP transfer mode is set to "ASCII" and not "binary".
- Although this password is not easy to read, there are programs on
the Internet that can break this password. Part of keeping your passwords
secure is not letting anyone get access to this file. For that reason,
we recommend that you not put them in the folder with the
documents you are protecting, or even the root level of your Web site. We
recommend that you put them in the folder whose name is your username: /usr/users/bcusername/
Not in: /usr/users/bcusername/www/
- Using FTP, change the name of the file on the server to .htpasswd with
nothing before the period.
Part 2:
Create an .htaccess file in the folder you would like restricted
To create an .htaccess file in the folder you would like restricted:
- Windows - Open Notepad: Click Start,
point to Programs, point to Accessories,
then click Notepad.
Macintosh - Open Text Edit: Double-click your Macintosh
HD icon, then double-click the Applications folder,
then double-click the TextEdit icon.
- Open a new blank file and name it: htaccess
- Copy and paste the following text into the file:
AuthUserFile /usr/users/myusername/.htpasswd
AuthName "YOUR SITE'S NAME"
AuthType Basic
< Limit GET>
require user joeuser
< /Limit>
- Edit the line: AuthUserFile /usr/users/myusername/.htpasswd changing "myusername" to your BC username.
- Edit the line: AuthName "YOUR SITE'S NAME"
The words you put here show up in the authentication dialog box.
- In Netscape, this line of text appears in the middle
of the following phrase: Enter username and password for "YOUR
SITE'S NAME" at
www2.bc.edu.
Note: You cannot change the surrounding phrase: "Enter username
and password for...at www2.bc.edu."
For example: AuthName"BC Help Center Restricted
Page" appears as the following in Netscape (refer
to Figure 1):
Figure 1: Example of text that appears on login prompt in Netscape.
- In Internet Explorer, this line of text appears with
nothing around
it.
For example: AuthName"BC Help Center Restricted Page" appears
as the following in Internet Explorer (refer to Figure 2):
Figure 2: Example of text that appears on login prompt in Internet Explorer.
- In the second to last line, change the word "joeuser" to
the username you put in your password file.
Important: Do not include the password in this file.
For example, to change the username to "anotheruser" this last 3 lines would read:
< Limit GET>
require user anotheruser
< /Limit>
-OR-
To allow any
username/password combination in your password file to access the folder, enter
the following for the last 3 lines:
<Limit GET POST>
require valid-user
</Limit>
- Using FTP, upload your edited htaccess file
inside the folder you want restricted on the www2.bc.edu server.
Important: Be sure the FTP transfer mode is set to "ASCII" and not "binary".
- Using FTP, change the name of the file on the server to .htaccess with
nothing before the period.
Part 3: Test the set up
To test the set up:
- Open your Web browser and go to the page you have just protected.
You
should receive an authentication dialog box similar to Figure 1 and 2 above.
- Enter an incorrect username and
password to make sure it fails.
- Enter the correct username with an incorrect password to make sure
it fails.
- Enter the correct username and password to make sure it works.
Limitations to this method of authentication
The following are limitations to this "basic" method of authentication:
- The password is not encrypted as it goes over the network,
so it could be sniffed.
- The password and username remain in the browser until the user closes
their Web browser completely. This means that shared computers or unattended
computers are potential
security risks.
- If the user tries to go to another www2.bc.edu site that
has a different username and password, they will get an immediate "access
denied" message.
They will not even see the authentication dialog box. This is because with
basic authentication,
the username and password is stored in the browser and the system makes the
assumption that for any given server a person has only one username and password.
To get
past this limitation the user must close all windows of the Web browser, quit
the browser, and then launch a new browser session to go to the second location.
- The .htaccess restriction only limits access through a Web browser. Other
BC students, faculty, and staff who have accounts on the www2 server may be
able to retrieve your documents using FTP. Remember that www2 is primarily a
public Web server, not designed for restricting confidential documents.
For better handling of confidential documents, use
MyFiles@bc
and WebCT
Web.
Need more help?
Web site feedback
