Web servers typically support a mechanism to limit access to Web pages on a directory by directory basis, using either domain names or user names and passwords. In computer security jargon this is "authentication" (making sure you know the identity of the client) and "authorization" (deciding to allow or deny based on the authentication). The most common mechanism is the ".htaccess" file, introduced in the NCSA server and continued in the Apache server. According to the Netcraft survey for September, 1998, there were 1.6 million Apache servers in use on the Web (rapidly growing) and 66 thousand NCSA servers (sightly declining).

Overview.

The following examples are intended to help anyone who has a central Unix account (CISUNIX) and who uses the PubPages server (NCSA) http://pubpages.unh.edu/ or who has a Contributor Account for the UNHINFO server (Apache). For basics, as described here, the NCSA and Apache servers are similar, but with important differences. Apache does not support all of the syntax as documented for NCSA servers and the examples below are for Apache. See the references below for more details and alternative examples.

Caveats.

• Authentication adds overhead to the Web server. And it adds overhead for you, more files and details to maintain. Only use authentication where it is really needed.

• These methods are moderately secure, but are not up to the level of public-key encryption and do not provide the full range of password management features that we associate with a modern operating system. Do not rely on this authentication for sensitive human resources or financial data -- and never store passwords in unencrypted files that are on the Internet.

• On the CISUNIX PubPages system, this security is undercut by the fact that anyone with an account on the CISUNIX systems can directly access your Web files from the shell prompt, without a Web server, because the files must be protected world-readable to be served.

If the host you intend to allow or deny access gets its network configuration from a DHCP server, you need to know that the address is static rather than dynamic and you should specify it as an IP address rather than a domain name.

Examples.

---

These examples assume the needed files, either ".htaccess" or ".htpasswd", are created on an account on the central Unix systems and are either used there (PubPages) or are copied (UNHINFO Contributor). If copied, they can be treated as plain ASCII files.

• Simple domain authentication.
• Simple workstation authentication.
• Simple user name and password authentication.

References.

More reading on .htaccess files:

• Apache Week, Using User Authentication, Issue 37, 18-OCT-1996.
• Ivler, J.M., "HTACCESS File Magic," Web Developer, May/June 1997, pp. 68-72.
• NCSA HTTPd Development Team, Mosaic User Authentication Tutorial, 27-SEP-1995.