Limiting Access to a Web Page

The Internet is a wonderful way to disseminate information broadly, but every now and then it is a bit too broad. This document will discuss how to limit access to a web page on the SSCC's web server.

Please note that this process requires you to log into the specific web server you want to access.

Security is actually set for directories, not individual web pages. Of course you could set up a separate directory for each page if you so desired. When the web server receives a request to view a web page, the server will first see if there is a file called .htaccess  in the same directory. If there is, this file determines what kind of access the server will give.

Setting up a Single Username and Password

In many cases it will be enough to have a single user name and password that many people can share. For example, you could give an entire class one user name and password to access the course web site.

Creating the .htaccess File

The first step is to create the .htaccess file. It must contain the following text:

AuthUserFile {  full path name to page(s) to be protected  }/.htpasswd
AuthName "{  description of the protected pages  }"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

You can  download a template  of this .htaccess file (if your browser opens it rather than saving it when you click on the link, right click instead and select Save Target as or Save Link as ). Place this template in the directory you want to protect and then rename it .htaccess. Open it in your favorite editor and replace everything in curly brackets {} with what applies to your site. For example, if I wanted to protect the pages for an Econ 101 class that were in a directory called  econ101  in my web site, the .htaccess file would look like this:

AuthUserFile /home/r/rdimond/PUBLIC_web/econ101/.htpasswd
AuthName "Econ 101 web site"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

(Note that if you copy this example you need to change /home/r/rdimond to /home/{first letter of your username}/{your username}.)

Another example, if I wanted to protect the pages for a Soc 101 class that were in a directory called soc101 in Sociology's web site, the .htaccess file would look like this:

AuthUserFile /usr/global/web/soc/class/soc101/.htpasswd
AuthName "Soc 101 web site"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

Setting the Username and Password

Once the .htaccess  file is created, you need to set the username and password. Log in to Linux (if you haven't already) and make sure the current directory is the one you want to protect. Then type

/usr/bin/htpasswd -c .htpasswd  username 

Where username should be replaced by the username you want to give the users of the web page. You will be prompted to enter and confirm a password. This will create a file called .htpasswd. The .htaccess file tells the server to only allow people to view the pages in this directory if they enter the username and password combination that appears in .htpasswd  .

Note that if you open .htpasswd, it lists the valid usernames, but the passwords are encrypted. If you forget the password you chose you will create it again.

 Creating Multiple Usernames

If you want more than one username, there is a simple program that automates the entire process. Of course the price of automation is lack of flexibility; in particular you cannot choose the usernames and passwords. In the directory you want protected simply type

mkhtpass n

where is the number of separate usernames you desire. The program will then prompt you to enter a description of the site. It will create the .htaccess and .htpasswd files, along with a file called password.txt. This contains the usernames and passwords in plain text (so you will want to delete it or move it to a non-public location). Note that the usernames are simply numbers: 00001, 00002 etc., and the passwords are completely random.

 Limiting Access by Domain

One easy way to limit access is by domain. For example, you could allow access only to those who are currently in the wisc.edu domain.  This would allow anyone connected to the University network on campus or via VPN to access your site. As before you need to have a .htaccess  file, but this time it just needs to contain:

allow from wisc.edu
deny from all

No .htpasswd file is needed. 

Caveats

The steps described here are simple and fairly effective, but not state of the art. In particular, the user names and passwords are sent in plain text, and in principle could be intercepted and read. Thus it would be wise to use a different user name and password for web pages than for your SSCC account or any other account. In addition, this would not be appropriate for highly sensitive data, which probably does not belong on the web, period.



Keywords:
web page webpage password limit limiting access 
Doc ID:
102653
Owned by:
Russell D. in Social Science Computing Cooperative
Created:
2020-05-31
Updated:
2023-05-30
Sites:
Social Science Computing Cooperative