Password Protection by UW NetID

Nearly all students, staff, and faculty have a UW NetID and password which they can use to access to UW network and computing services. You can restrict access to your website to only the specific UW NetIDs you authorize to have access. Since there are no passwords for you to generate and maintain, it is a simple way to protect your website.

Note: CGI and PHP script authors can read the REMOTE_USER environment variable to determine the specific UW NetID of each authenticated visitor.

Step-by-step Instructions

Simple instructions are available for the most common ways to password protect Web pages using UW NetIDs:

Authorizing Any Valid UW NetID
Provide access to anyone with a valid UW NetID.

Authorizing a Short List of UW NetIDs
Provide access to your own short list of UW NetIDs (e.g. 20 or fewer).

Authorizing by UW Group ID
Provide access to the members of a group in the UW Group Service.

Authorizing Participants in a Course
Provide access to participants in a specific UW course or courses.

Authorizing UW NetIDs by Affiliation Type
Provide access to all UW NetIDs of a certain affiliation type. (eg. students, faculty or alumni)

How It Works

Password protection by UW NetID is easy to apply to your website, but a variety of things (cookies, browser redirection, encryption) make it work. Here is a description of what happens when someone requests a file you have protected by UW NetID.

  1. A request is made for a file you have protected by UW NetID authentication.

  2. The server recognizes that the visitor hasn't authenticated and redirects them to the UW NetID "weblogin" service where they can enter their UW NetID and password.

  3. If the UW NetID and password match, the user is redirected back to the original resource and a session cookie is set on the user's browser.

  4. Now that the user has been authenticated, the original request is fulfilled, but only if you have authorized the specific UW NetID in your .htaccess file. The UW NetID is extracted by the server and placed into the REMOTE_USER environment variable for use by authors of CGI and PHP scripts.

  5. The session cookie serves as a credential to authenticate the user on subsequent requests for other files in the same website.

Combining Authorization Methods

The authorization methods described above can be combined on a 'require' line by using the operators AND and OR. Each type of authorization must be referred to before listing the required identifiers.

Here's an example of allowing anyone who is either in a course or in a short list of UW NetIDs to view a site.

require course AUT2009.12345 OR user ted edna steve

This method can be used with any combination of authorization methods requiring UW NetIDs for authorization.

It is more common to use OR for this purpose, as using AND would require users to be in both the course and the short list in order to access the authorized content.

Last modified: June 13, 2013