How to configure a web page to require a username and password

This type of authentication allows you to set usernames and passwords to give specific people access to your secure folder. This means they do not need to have PennKeys. You can also use one username and password for everyone. The .htaccess and .htpasswd files reside in the folder you want to protect. It is available on all domains via https://.

Create your .htaccess file

  1. Create a new file called ".htaccess" using your favorite text editor.
  2. The file should contain something similar to this:

    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /home1/c/clifford/public_html/protected/.htpasswd
    require valid-user

    Change the path after "AuthUserFile" to the location of where your .htpasswd file will be (should be in the same directory as .htaccess). You can simply change "c" to the first letter of your PennKey, "clifford" to your full PennKey, and "protected" to the directory you want to protect.
  3. Save the file and upload it to the directory you want to protect using your favorite FTP client (more info).

Note: If you are comfortable using vi or emacs on the command line, it may be easier to create the file directly on the server.

Set up authentication using a htpasswd

  1. Connect to Eniac via the command line (we recommend SecureCRT). Navigate to the folder you want to protect (the location you uploaded your .htaccess file to).
  2. Use the following command to create a new .htpasswd file and set up the user "cliff" (change to whatever username you want):

    htpasswd -c .htpasswd cliff

  3. You will be prompted to enter a password for the user.
  4. To add other users, use this syntax (where "eric" is another username you want to use):

    htpasswd .htpasswd eric

  5. Make sure both your .htaccess and .htpasswd files are readable by the web server. In most cases this will mean making them world readable (more info on changing permissions). For extra security, run the "chgrp-httpd" command mentioned below to give the web server read access to the directory while preventing anyone else from seeing into it.

Setting the directory permissions

Note: it is not advisable to use the chgrp-httpd script if you are protecting files in your CGI directory. Instead, chmod the protected directory to 711.

This final step is important to make make sure people with local accounts can't access your files via the unix file system. Set the correct permissions on your protected folder by running the following command from within the directory you want to protect:

chgrp-httpd .

Note: chgrp-httpd will only run on Eniac.

Accessing Your Protected Site

Your password protected site should now be available:

https://www.seas.upenn.edu/~username/protected/

Replace "username" with your SEAS account name and "protected" with the directory you created. Note the https - you will get a server error if you try to use http.

Other options

For security reasons, directory listings are disabled by default on SEAS web servers. You can override this setting after setting up password auth by generating a index file. For more options of things to do with your htaccess file, please visit Apache's site.

© Computing and Educational Technology Services | Report a Problem
cets@seas.upenn.edu | 215.898.4707