Authentication with .htaccess user name and password

Web User Authentication.
Example 3:
User Name and Password.

Computing & Information Services Department.
author: cwis.admin@unh.edu

last modified September 20, 2000

Overview.

This example shows how to require a user name and password for access to all Web pages in a particular (sub)directory on an Web server running the Apache server software (such as UNHINFO and Pubpages on the UNH Campus). Plan to place all the files that merit protection into one subdirectory (folder), separate from your public access Web files.

Scope.

In this example we just create one general user name and password, intended to be shared by a group, but you can create multiple user names and passwords, each pair different. User names and passwords can also be combined with address restrictions, which gets more complex and you may need to read some of the references. CAVEAT: We have verified this for the Apache Web server, but not for other Web servers. DISCLAIMER: This security is reasonably effective against casual snoopers but it is not claimed to be strong encryption and should not be used with highly sensitive data.

UNHINFO Context.

While this example is intended to be applicable to any Apache Web server, we look at this in a UNHINFO context. If you have a UNHINFO Contributor Account, you will need to create two files to FTP into place. These are dot-files whose names begin with a period:

   .htaccess
   .htpasswd

The .htaccess file is a text file that can be created on any convenient system. The .htpasswd file is a text file that must be created on a Unix system using a special utility program that encrypts the password(s). We'll assume use of a CISUNIX account for that. Both files need to be copied (FTP) into place in the applicable directory in your Contributor Account. There are online FTP instructions for UNHINFO Contributors.

The recipe:

Create the .htaccess control file using your editor of choice, e.g., pico on CISUNIX. Remember, Unix files that begin with a dot are special and do not show up in normal directory listings but require the "a" switch, as in:
```
  % ls -al
```
OK, create the following five-line .htaccess file. Each line begins in column 1. Exact case and spacing matter:
```
  AuthUserFile /usr/local/web/data/users/unh/zap/pro/.htpasswd
  AuthGroupFile /dev/null
  AuthName AllowLocalAccess
  AuthType Basic
  require valid-user
```
- The 1st line specifies where the password file is located in your directory and it must be the full directory path without any shortcuts. This example shows a typical UNHINFO directory path if your Contributor Account were "zap" and the protected files were in a subdirectory called "pro". How do you find out what that is? FTP to your account, navigate to the subdirectory that will hold the protected files (create the subdirectory if necessary) and issue a "pwd" command (Unix-speak for "print working directory"). Alternatively, if you are logged in on the central Unix systems you can find out your full path at the shell prompt with "echo ~".
- The 2nd line indicates where the groups file is located. There is none used here, so we specify the Unix null device.
- The 3rd line is a realm name assigned for this protection. Just copy the example.
- The 4th line specifies basic access. Don't worry about other types for beginner purposes.
- The 5th line adds the requirement that someone will have to supply a user name and password. The password will be created and stored in a second file named ".htpasswd" as described below.
Now you need to create the ".htpasswd" file by running the "htpasswd" program after logging in to your CISUNIX account and moving to the shell prompt ("%"). Run the htpasswd command as:
```
  % htpasswd -c /usr/local/web/data/users/unh/zap/pro/.htpasswd guest
```
Where the directory path is the same as used in the ".htaccess" file above, ending with the ".htpasswd" file name that is to be created. This does three things:
- First, it creates the .htpasswd file.
- Second, it causes the htpasswd program to create an entry for the user name of "guest". This could be something else (up to eight characters) if you wish.
- Third, it prompts you to enter the password for that account (twice). When I did this I used "millennium" as a password and in the resulting file there is this entry with the password encrypted:
```
  guest:BSxmTv2hV2rNU
```
Do not try to edit the .htpasswd file with pico or another text editor -- the htpasswd program is designed for its maintenance.
Now create a file called "test.html" that is a target file that you are protecting. Contents can be anything as long as it is valid HTML.
If you are placing these in a UNHINFO Contributor Account, FTP to that account. Create the subdirectory ("pro" in this example) if it does not already exist. Copy the three files (.htaccess, .htpasswd, test.html) into the subdirectory.
If you are placing these for serving by Pubpages from within your CISUNIX account, copy the files into an appropriate subdirectory and make sure they are world-readable:
```
  % ls -al
  % chmod go+r *   (if necessary)
```
OK, now you can test it by entering the appropriate URL in your browser. In this example, if "zap" was both your account name and the name of your home directory, then we might have:
```
  http://www.unh.edu/zap/pro/test.html
```
For a working example try:
```
  http://pubpages.unh.edu/~jwc/Secure/test.html
```
You will see a form asking for the user name and password. Enter "guest" and "millennium". If you succeed, then the page is displayed. If you fail, you will get a dialog box reporting "Authorization failed. Retry?" and a yes or no choice. If your own example is not working, be sure to double-check everything, since this is very detail dependent.
On the CISUNIX PubPages system, this password security is undercut by the fact that anyone with an account on the CISUNIX systems can directly access your Web files from the shell prompt, without a Web server, because the files must be protected world-readable to be served.

Return to start of discussion.