HOME | BACK | NEXT | _ WORDLIST | TOPICS | _ AUTHORS | E-MAIL | _ INDEX | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

WWWE LogoTopic:

Password Security

In this topic section, you will learn how to set up Web password security. Before you place this security scheme on a production Web site, set up and test your work in a temporary Web directory.

First, create a file called ".htaccess" using a text editor. It should contain following information:

     AuthType Basic
     AuthName Protected Files
     AuthUserFile %path%/.passwd
     AuthGroupFile /dev/null
     <LIMIT GET>     require valid-user
     </LIMIT>

NOTE: Be sure to replace "%path%" with the correct full path name for the location of your .passwd file (which will be created below).

This example shows only one of many possible ways to set up your .htaccess file. For more configuration options, please visit NCSA's tutorial on Web security.

If you follow these directions, your Web site will be configured so that only those users who know the valid name and password can access the files in the protected directory. Let's look at what each line does:

AuthType Basic
This line doesn't really do anything, but it must be present, and it must be typed exactly as shown.
AuthName Protected Files
This line tells the browser to include the words "Protected Files" in its prompt when it asks for a password. You can put just about anything on this line, but ideally it should indicate something about the directory the user is about to log into.
AuthUserFile %path%/.passwd
This line give the full UNIX path and filename for your Web password file (which will be created below). You can have a different password file for each protected directory, or you can lump all the passwords together in one file.
AuthGroupFile /dev/null
This line specifies the name of a file that can be used to make groups of passwords. This example doesn't use groups, so we just use the /dev/null, the standard UNIX empty file. If you want to learn about groups, read NCSA's tutorial on Web security.
<LIMIT GET>
require valid-user
</LIMIT>
These three lines are what actually turns on the password feature. The line "require valid-user" tells the system that anyone who enters a correct username and password can access the directory and its contents.

Now it's time to create your password file. This file is completely unrelated to the UNIX system password file, so you are free to make up whatever usernames and passwords you want in your Web password file. At a UNIX prompt, type these commands: Make sure you are in the directory you want to protect.

     htpasswd -c .passwd username

You will be asked (twice) for a password for the user username. This command will create the .passwd file, which will contain an encrypted version of the password. Once the .passwd file is created, you need to make the password file world-readable:

     chmod 644 .passwd

Your directory is now protected. Any files you put into it will be accessible only to users who identify themselves as username, and who enter the correct password.

You can add more users to your password file at any time. Simply go to the directory where the .passwd file is, and type:

     htpasswd .passwd newuser

This will add another user, newuser, to the list and ask for a password (twice) for this user.

To delete a user from your password file, use a text editor to edit the password file, and delete the line that begins with the user's name.

URLs:

NCSA's tutorial on Web security

W3E References:

security

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

E-Mail: The World Wide Web Encyclopedia at wwwe@tab.com
E-Mail: Charles River Media at chrivmedia@aol.com
Copyright 1996 Charles River Media. All rights reserved.
Text - Copyright © 1995, 1996 - James Michael Stewart & Ed Tittel.
Web Layout - Copyright © 1995, 1996 - LANWrights & IMPACT Online.
Revised -- February 20th, 1996