How to configure a web page to require a username and password
If all of your users have PennKeys, please consider the much simpler approach using Penn Weblogin.
The HTTP Basic Authentication method allows you to restrict access to areas
of your website by managing your own usernames and passwords. Use this approach
if you need to restrict access to users who do not have PennKeys and/or want
the convenience of sharing a single username and password among users. It is
available on all domains via HTTPS (such as
To use HTTP Basic Authentication on SEAS servers, you'll need to create two
.htpasswd, in the folder you
want to protect.
Using your favorite text editor, create a
.htaccess file in the
directory you want to secure with contents similar to this:
AuthName "Restricted Area"
The path to the password file after
AuthUserFile follows this format:
If you've created the file locally, save it and upload it to the directory you want to protect using your favorite FTP client (more info).
If you are comfortable using common UNIX text editors like
nano, it may be easier to create the file
directly on the server.
.htpasswd file with the
- Connect to eniac.seas.upenn.edu via the command
line. Navigate to the folder you want to protect (the location you
- Run the
htpasswdcommand with the
-coption to initialize your
.htpasswdfile. It will create the file if it doesn't exist or replace all of the contents in an existing file with the specified user . In this example, the file is initialized with the user "cliff" (use whatever username you want):
htpasswd -c .htpasswd cliff
- You will be prompted to enter a password for the user.
Add users or change passwords for existing users
To add more users or change the password for an existing user, simply run
htpasswd without the
-c option. In this example, a new user,
"eric", is added:
htpasswd .htpasswd eric
Set file and directory permissions
Make sure both your
are readable by the web server. In most cases this will mean making them world
readable (more info on changing permissions). For
extra security, run the
chgrp-httpd command mentioned below to
give the web server read access to the directory while preventing anyone else
from seeing into it.
Note: it is not advisable to use the chgrp-httpd script if you are protecting files in your CGI directory. Instead, chmod the protected directory to 711.
This final step is important to make make sure people with local accounts can't access your files via the unix file system. Set the correct permissions on your protected folder by running the following command from within the directory you want to protect:
Note: chgrp-httpd will only run on Eniac.
Accessing Your Protected Site
Your password protected site should now be available:
Replace "username" with your SEAS account name and "protected" with the directory you created. Note the https - you will get a server error if you try to use http.
For security reasons, directory listings are disabled by default on SEAS web servers. You can override this setting after setting up password auth by generating a index file.
For more options of things to do with your htaccess file, please visit Apache's site.