How to Password Protect Your Webpages

Many of our users have parts of their website that they do not want to be available to the general public. Some have software that they want to make available only to people who have signed-up to receive it. Other might have some pages that are intended to be seen by members of their organization only.

Setting up a password protected section of your website is fairly easy. This document covers the step-by-step instructions you need to follow to password-protect part of your website.

1. Tell your http server to allow .htaccess files

By default, your Apache http server controls all access to your site according to the permissions in one file. To change the permissions on a single directory, you first need to tell your server to recognize a special file, called ".htaccess" in that directory.

Here's what you need to do:

• Download the server access configuration file using your FTP software. The file is located in the directory /usr/local/etc/httpd/conf and is called access.conf.
• Edit this file and look for the line that reads:

  <Directory /www/htdocs>

• Find the first line after this that starts with:

  AllowOverride

• If this first line says AllowOverride All you can skip to step 2 below.
• Otherwise, change this line to read AllowOverride All
• Save your changes and FTP the file back to the server. Remember to FTP in ASCII or TEXT mode!

2. Make a directory under htdocs that you want to secure

You can only password protect a directory of files, not simply a single file. (Although you can, of course, place only one file in the password protected directory.) The next step is to create the directory that you want to protect, and move or add your files to that directory. For this example, I will use the directory /www/htdocs/protected.

Here's what you need to do:

• Using your FTP program, connect with the server and change directory to /www/htdocs
• Make the protected directory: mkdir protected
• Change directory to the protected directory
• Upload any files you want to protect. (You can do this later, but it's a good idea to put at least one file here now, so you can make sure your passwords work.)

3. Create a .htaccess file in the protected directory

On your local machine, create a file that contains the following lines:

AuthUserFile /usr/local/etc/htpasswd
AuthGroupFile /dev/null
AuthName MyCompanyWebPassword
AuthType Basic
<Limit GET PUT POST>
require user pumpkin
</Limit>

You can change some of these lines, as follows:

• The first line gives the location of the password file that we will create in step 4. We suggest you use /usr/local/etc/htpasswd, but any location will work fine, so long as it is not inside your htdocs directory.
• The second line is the location of your group file. We won't be using group files in this example, so leave that alone.
• The third line gives a name for this particular authorization. Most browsers show this name when they ask for your password. You should set this to something that describes what the password is for.
• The sixth line gives the username that is required to acces your directory. Choose any name you like, but remember it for step 4.

When you've finished creating this file, FTP it into your protected directory, and make sure to call it .htaccess in that directory.

4. Create a password for this directory

Use this form to set the password for your directory. You will need to give:

• The location of your (new) password file, if you changed it from /usr/local/etc/htpasswd, above.
• The username listed in your .htaccess file. ("pumpkin" in the example above.)
• A password that you want to use. You will have to enter the password twice, to make sure the program gets it right.

5. Give it a try

If you've done everything correctly up to this point, you should be ready to try it out. Point your browser to http://yourcompany.com/protected/index.html (assuming you used the same directory that I did, and that you have loaded a file called index.html to that directory in step 2). Your browser should open a window asking for a username and password. Enter the username you used in step 3 ("pumpkin" in the example), and the password you set in step 4. If the browser lets you in, you're all set. Congratulations!

If your browser just displays the file without asking for a password, make sure you set up the access.conf file correctly in step 1. Also make sure that you named your permissions file .htaccess and placed it in the correct directory.

If your browser returns an error message, make sure the password file in your .htaccess file (see step 3) is the same as the file you put the password into in step 4.

NOTE: Most browsers remember passwords for you until you close the program and restart it. Thus, the first time you try to access your protected directory, you will be asked for your username and password. If you go back to that directory at a later time, the browser will remember your login and will just let you in, until you close the browser program.