e
Bahá'í Communications
International
5712 Deerfoot Trail
Fort Worth, TX 76131
USA
Copyright © 1996-20015by BCI. BCI is sponsored by the Spiritual Assembly of the Bahá'ís of Fort Worth, Texas.
How to secure a web document using HTACCESS
Creating a sub-directory
The htaccess method of user authentication works on a directory. That is to say, it grants or denies access to the directory in which it is set up. There is no way to restrict access to some files in a directory while allowing free access to other files.Let us assume for a moment that I maintain the Baha'i Community of Fort Worth's web page on BCI, which, as it happens, I do. :) I might decide that I want to set up a page for members of the community only, and secure this page with a username and password. In order to accomplish this, I must put the members only web page in a different directory than the pages that I do not want to restrict. The decision as to what to name the directory is important, because this becomes the URL by which the user accesses the restricted page. In this example, let's name the directory "member" which would make the URL for the members only page /ftworth/member. This should be pretty easy for people to remember, which is a good thing, since folks have got a lot on their minds lately.
Create this directory with your ftp client program. The command will vary depending on which client you use.
If you use the command line ftp program that comes with windows, this command is mkdir member
The .htaccess file
We now have a directory which is empty just below the "ftworth" directory. The next step is to create the file which tells the server to restrict access to the directory. This file must be named ".htaccess". This is because the server has been instructed to look for a file with this name and restrict access to the directory if it is found. This file tells the server where to look for the file which contains the usernames and passwords needed to access the directory. Here is what the .htaccess file in our example "member" directory would look like:
-------------cut here --------------------------
AuthName "Ft Worth Member Page"
AuthUserFile /home/web/ftworth/member.access
AuthType Basic
require valid-user
-------------cut here --------------------------
When someone tries to access the directory, the server will bring up a little box on the user's browser which asks for a username and password. The AuthName directive tells the server what to call the resource that the user is being asked for a username/password in order to access. You can put anything you want to here, but remember that the user will see whatever you put.
The AuthUserFile directive tells the server where to look for the file which contains the usernames and passwords needed to access the directory. Note that I have placed the file in the "ftworth" directory instead of in the "/ftworth/member/" directory. This makes it harder for someone to figure out what your authorization file is and download it. We will discuss how to create this file a little later.
The other two lines in this file will not need to be changed at all.
One final note on the .htaccess file: When you upload the file using FTP, be sure to upload it as an ASCII file transfer rather than a BINARY transfer. PC's and Unix systems have different end-of-line markers and sending it as ASCII will convert the PC end-of-line markers to Unix end-of-line markers.
The User Authorization File
Now we need to create the file that we told the server to look in for usernames and passwords. To do this, we need to use a program called "htpasswd." Click here to download this program to your PC. Remember where you saved it, because you will have to run this program in a DOS window.After the program has downloaded, use the start button in windows to open an MSDOS Prompt window. Change to the directory where you saved the htpasswd program and enter this command: htpasswd -c member.access mark
The "-c" parameter to this command tells htpasswd that the file is to be created. Only use this the first time, because it will create a new one each time it is run with a "-c" and your previous entries will be gone. The second parameter is the name of the file. This must be exactly the same as what you entered in the .htaccess file. The third parameter is the username you wish to have people use as a way to access the directory. When you run this command, the program will prompt you for the password for user "mark" and then have you re-enter it, to make sure it wasn't mistyped. You may run this command as many times as you need to (without the "-c", remember) if you want people to be able to access the directory under different usernames. Alternately, you could enter a name like "ftworth" and tell your community what the password for "ftworth" is so they could all get to the page under that name.
Now upload the file using FTP, once again being sure to upload it as an ASCII file transfer rather than a BINARY transfer.
The Secured Document(s)
The final step is to put our web page into the directory. This is done in the same way you usually do it. Just make sure you change to the sub directory before uploading the page. If you name it index.htm or index.html then you will not need to include the name of the file in the URL, just as in your main page.
A Final Note
I would be remiss if I did not offer this caveat to those considering using htaccess to secure a web page on BCI. If you have a secret, lock it in your file cabinet. The web is no place for secrets! The only thing that your data will be protected against is people surfing with a browser. I don't guarantee that. There may be some bug in the http server software that someone will discover and exploit to see your information. For low level stuff, it's just fine, and very few individuals would have the ability or inclination to attempt to defeat the security of your web page, but, if release of the information would be a serious problem for you, in my opinion you should not put the information on the web. 'Nuff said!Comments and questions on this document or general subject may be directed to Mark Clark.
(Updated 3/03)