Add Password-Protection
to a Web Subdirectory

Why? You could use this technique to display your membership roster to only those members who know the user name and password. Please note that this is a very rudimentary form of restricting access, so it should not be used for extra sensitive data. This technique can be overcome by a sophisticated computer user, but it would take some time. So it is mostly used to keep out the casual browser. If you want to learn more, you can visit http://httpd.apache.org/docs/1.3/howto/auth.html

In this example, you'll learn how to password-protect a directory in your IO Web space so that only Mapper, Digger, and Sport will have access. Note: You don't have to have multiple user names. You may want to assign one user name and password, then let all members know what it is.

To make this work, you will create three small text files that will go into a sub directory of your IO directory that was assigned by the NSS.

Text editors in Windows: Windows usually wants to automatically add a file extension to any files you create. In this case you are creating files that only have a file extension, that is, there is nothing before the dot. If you are using Windows, I recommend that you use Notepad to create the three files. When you save the file, enclose the name in quotes so that Windows will not add a file extension.

Please note: File names on the NSS server are case sensitive. Save yourself problems by using all lower case for file and directory names.

Step 1: Create the directory you wish to password-protect.

Use your favorite file transfer protocol (FTP) method to connect to the NSS server and create a directory called "members" in your IO directory that was assigned by the NSS. (You can use a different name, just keep it simple.)

Step 2: Create an .htaccess file.

Create a file containing the following text in your favorite text editor.
Note that the example uses the directories "grotto/nittany" - where you see this you must substitute your own directories as assigned by the NSS.
Note in the example, the sub directory "members". Substitute the name of the sub directory you created in Step 1.
Where you see the name "private directory", change it to something users will understand. This is part of the message that will be displayed in the pop-up window where users will enter their user name and password.

AuthUserFile /var/www/vhosts/caves.org/httpdocs/grotto/nittany/members/.htpasswd

AuthGroupFile /var/www/vhosts/caves.org/httpdocs/grotto/nittany/members/.htgroup

AuthName "private directory"

AuthType Basic

Require group allowed

NOTE: The <Require> line is added to make sure that all methods (GET, POST, etc.) are restricted.

Save this file as .htaccess

Now upload this file to the "members" directory that you created inside your IO directory that was assigned by the NSS.

Step 3: Create an .htpasswd file.

The password that is associated with a user name is encrypted, therefore you must store it that way in the .htpasswd file. Fortunately there is a utility that will encrypt it for you. Go to the Encrypted Password Generator Page and follow the directions to get the password information for creating your .htpasswd file. (Make up a user name, and choose a password.) Note: user names and passwords are case-sensitive, so, they will have to be typed the same way each time. After you fill out the form and Submit it, the service will display a string of thirteen characters after the user name that you entered.
Copy the entire line into a file using your favorite text editor You could make a different password for each person, but for this example only one password is used for all three. Your file will have the following form:
Save the file as .htpasswd.
Now upload this file to the "members" directory that you created inside your IO directory that was assigned by the NSS.

Step 4: Create an .htgroup file.

Again use your favorite text editor to make a file containing the list of privileged users that you choose for creating the .htpasswd file. It should have the following form. Note that in our case Mapper, Digger, and Sport are the privileged users for the "members" directory. Again, note that these user names are case-sensitive. The name of the group is "allowed" in this example, and needs to be the same in this file and in the Require line in your .htaccess file.
```
allowed: Mapper Digger Sport
```
Save this file as .htgroup.
Now upload this file to the "members" directory that you created inside your IO directory that was assigned by the NSS.

Step 5: Place the .htm pages you want to protect in the sub directory.

If you want to have the membership roster to be seen only by members, place its page inside the sub directory. In the example, that would be the "members" sub directory. The hyperlink will point to that page inside the sub directory. When the server goes there to find the page it sees that the sub directory is password protected, and will ask the user for the user name and password.

Does it work?

Try to access the page you protected on your web site. If everything is set up correctly, your browser should prompt you for a username and password. You should not be able to access the page unless you enter one of the user name - password combinations that you entered when creating the .htpasswd file. In our example that would be one of the user names: Mapper, Digger, or Sport and the password you assigned.

Remember, the NSS server is case-sensitive. If you have trouble, check to make sure you're using the correct case.

Make sure you name the three files correctly. They must be named as follows or it won't work.

.htaccess .htpasswd .htgroup

Did you upload the files using the "ASCII" (for PC's) or "Text" (for MACs) mode. Some FTPs have an Auto mode that may work also.

If you do not see the three files in your sub directory after you have uploaded them it may be because the server codes these files as hidden. Check your FTP client to see if it can display the names of hidden files. Most do.

Last revised: November 10, 2008
by Keith Wheeland