One username/password only

The most common use of password protection is to allow access only to browers who know the (single) username & password. Then the instructions on this page are sufficient. However, even if you want to have multiple passwords, you must start with a single username/password as described below.

1. IN THE DIRECTORY ITSELF

Put a world-readable file ".htaccess" in the directory of web files to be protected. The file consists of these 8 lines (editable items appear in boldface):

AuthUserFile  /www/courses/4350/2005Spr/.htpasswd
AuthGroupFile /dev/null
AuthName "my messages"
AuthType Basic

<Limit GET>
require user penny
</Limit>

(Leave an extra blank line at the bottom of the file, lest the server think the last tag is incomplete...)

EDIT LINES 1,3,7:

line #1, AuthUserFile: give the actual server file path/name of (future) password file, which should not be in the protected directory itself.

line #3, AuthName: give a string which will be used in the id/password prompt. Use "quotation marks" for a multi-word string):

        *************************************************
        *  Enter username for <string> at <servername>  *
        *                                               *
        *     User ID:  ________________________        *
        *     Password: ________________________        *
        *************************************************

In this example, the top line of the prompt would read
"Enter username for my messages at amath.colorado.edu"

line #7, user: give a single "User ID" which the user(s) is supposed to enter. Both the UserID and the password are chosen by you, as described below. This is not related to any existing login name; see NOTE.

2. MAKE PASSWORD

Create the password file .htpasswd listed as "AuthUserFile" above -- it can be anywhere world-readable on the server but *NOT* in the protected directory itself -- using the program ``htpasswd'' (full pathname is /usr/apache/bin/htpasswd).

Use with the -c option (create passwd file) and full path names, e.g.,

  /usr/apache/bin/htpasswd -c /www/courses/4350/2005Spr/.htpasswd helen

...using the same UserID mentioned in the .htaccess file. You will be prompted twice for a password, which is then stored in the .htpasswd file in encrypted form. (look at it!) Do NOT use an actual Unix account password for this purpose; this is a password for a different purpose, so make up something new and different.

NOTE:

The UserID name and password which are used for Web page access authentication have nothing to do with the login names and passwords for accounts on the server computer. In fact, do *NOT* use a person's actual computer account password for this; make up something new and inform the person of the different password.

On the other hand, it is harmless to use an existing login name for the UserID, since there is nothing particularly secret about login names. You may decide that it is simpler for that individual to let her existing login name serve as the UserID, but you do have to create a new password for her (perhaps one of her choosing) and make sure that she knows both the effective UserID, password, and the web directory for which they are used.

For typical classroom use you may want to make a web site viewable only to those taking a certain course, but not really care about a high level of security. In that case you may choose to create a single UserID with a single password, and inform everyone in that course of the same UserID/password, e.g., appm4350 and fourier. That is sufficient to keep out casual browsers.

adding more usernames/passwords