Restricting Access to Certain Users with htaccess

If you wish to password-protect pages and have people use their UWNetIDs, you should use pubcookie instead. These instructions should only be used if you are setting up low-security password protection, and the usernames are shared. Protecting pages using this method is inherently insecure, since the passwords are not encrypted when they are sent to the web server.

Creating the password file

If you are working in /usr/local/wwwudev, then use the following steps to create a new password file:

  1. % cd /usr/local/wwwudev/htaccess/u
  2. % ls
  3. Choose a name which is not already taken. groupname will be used in the rest of this example for the name of the group, and user1 and user2 for the first two usernames to be added.
  4. % htpasswd -c groupname user1
    You will be asked for the password for that user.
  5. % htpasswd groupname user2
    As in the previous step, you will be asked for a password.
  6. Add the remainder of the users.
  7. % wwwuinst -push htaccess/u/groupname

If you are working in /usr/local/wwwdev, then change step 1 to use the directory /usr/local/wwwdev/htaccess and change the last step to pushing htaccess/groupname instead.

Modifying the .htaccess file

An example of an .htaccess file that restricts by password follows. The .htaccess file should go into the directory you're developing in, for example, /usr/local/wwwudev/world/travel/

Note that the AuthUserFile points to www rather than wwwudev. This is because if the file is installed into production, it will be in www. You install your password file into production with the wwwuinst command (step 7 above).

AuthUserFile /www/htaccess/u/groupname
AuthName groupname
AuthType Basic

require user user1
require user user2

Note that if you're developing in /usr/local/wwwdev instead of /usr/local/wwwudev, the directory you'll need to use for your password file is /usr/local/wwwdev/htaccess.