Password protection in html

This information is for Linux users, but can be adapted by windows users.

Say you want to put information on the web that you want your class, but no one else, to have access to. Or say you want to put information on the web that people can access but not robots (i.e., you do not want it indexed by google).

Here is a method that is reasonably secure for doing so. (Any information that is highly sensitive might require better protection.)

Here is how it works in concept. First create a directory in your web accessible directory, say Public_html/myclassInfo/ . Make sure it has execute permissions so web browsers can access files in it.

The idea is to password protect this directory so that whenever a browser attempts to access a file in this directory, the user will be presented with a panel asking for a username and password that must be filled in correctly before access is granted.

Two files are needed (make sure both have universal read permissions). One is called ".myclassinfopasswds" (or whatever). Put this file in Public_html (i.e., not in myclassinfo/ ) or, even better, put it in your home directory, beyond the reach of web browsers. This file will contain a list of usernames and passwords. Inside myclassinfo/ put a file called ".htaccess". This will tell the server where to find the file we're calling ".myclassinfopasswds".

Here is what should be in the file .htaccess:

AuthUserFile /Net/mathstat/Users/Fac/XXX/.myclassinfopasswds

AuthGroupFile /dev/null

AuthName ByPassword

AuthType Basic 

 

require valid-user

Note: Replace /Net/mathstat/Users/Fac/XXX by the pathname of the directory where you put the file .myclassinfopasswds .

Here is what goes in the file ".myclassinfopasswds":

username1:Ox3I9uW/XvQs.
username2:EtTpDmezeFZPU

Each line of ".myclassinfopasswds" consists of a username and an encrypted password. You can make the usernames anything you want. A user will be given viewing access if the user enters any username and its corresponding password, when requested by the web server.

Here is how to generate the required encrypted password. On most UNIX systems you simply run the following command at the prompt in a terminal window:

htpasswd -nb  jdoe jhsdj

Here the username is jdoe, and the password is jhsdj . The output of the command will be the encrypted form of jhsdj, say EtTpDmezeFZPU, which goes in the file ".myclassinfopasswds" as a line of the form:

jdoe:EtTpDmezeFZPU

Unfortunately, our Linux system does not recognize the command htpasswd. The answer is to log on to another UNIX system (most will recognize htpasswd), or visit a website, such as http://www.xs4all.nl/~remcovz/htpasswd.html, which will run the command for you.

You will of course have to tell your users what their usernames are and what each corresponding password is. If you just want to keep robots out, include a note about what the username is and password is at the same point that you have a link to the protected directory.