How to configure a web page to require a username and password

If all of your users have PennKeys, please consider the much simpler approach using Penn Weblogin.

The HTTP Basic Authentication method allows you to restrict access to areas of your website by managing your own usernames and passwords. Use this approach if you need to restrict access to users who do not have PennKeys and/or want the convenience of sharing a single username and password among users. It is available on all domains via HTTPS (such as https://www.seas.upenn.edu/~username/protected/).

To use HTTP Basic Authentication on SEAS servers, you'll need to create two files, .htaccess and .htpasswd, in the folder you want to protect.

Create your .htaccess file

Using your favorite text editor, create a .htaccess file in the directory you want to secure with contents similar to this:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home1/c/clifford/public_html/protected/.htpasswd
require valid-user

The path to the password file after AuthUserFile follows this format:

/home1/<first inital>/<username>/html/protected/.htpassword

If you've created the file locally, save it and upload it to the directory you want to protect using your favorite FTP client (more info).

If you are comfortable using common UNIX text editors like vi, emacs or nano, it may be easier to create the file directly on the server.

Create your .htpasswd file with the htpasswd command

  1. Connect to eniac.seas.upenn.edu via the command line. Navigate to the folder you want to protect (the location you uploaded your .htaccess file to).
  2. Run the htpasswd command with the -c option to initialize your .htpasswd file. It will create the file if it doesn't exist or replace all of the contents in an existing file with the specified user . In this example, the file is initialized with the user "cliff" (use whatever username you want):

    htpasswd -c .htpasswd cliff

  3. You will be prompted to enter a password for the user.

Add users or change passwords for existing users

To add more users or change the password for an existing user, simply run htpasswd without the -c option. In this example, a new user, "eric", is added:

htpasswd .htpasswd eric

Set file and directory permissions

Make sure both your .htaccess and .htpasswd files are readable by the web server. In most cases this will mean making them world readable (more info on changing permissions). For extra security, run the chgrp-httpd command mentioned below to give the web server read access to the directory while preventing anyone else from seeing into it.

Note: it is not advisable to use the chgrp-httpd script if you are protecting files in your CGI directory. Instead, chmod the protected directory to 711.

This final step is important to make make sure people with local accounts can't access your files via the unix file system. Set the correct permissions on your protected folder by running the following command from within the directory you want to protect:

chgrp-httpd .

Note: chgrp-httpd will only run on Eniac.

Accessing Your Protected Site

Your password protected site should now be available:

https://www.seas.upenn.edu/~username/protected/

Replace "username" with your SEAS account name and "protected" with the directory you created. Note the https - you will get a server error if you try to use http.

Other options

For security reasons, directory listings are disabled by default on SEAS web servers. You can override this setting after setting up password auth by generating a index file.

For more options of things to do with your htaccess file, please visit Apache's site.

© Computing and Educational Technology Services | Report a Problem
cets@seas.upenn.edu | 215.898.4707