If a web directory is password protected and a user attempts to open either that directory area or a file in that directory, a window will appear requesting a required username and password. With the proper username and password entered, the user will be allowed to view files in that directory. Password protecting a directory area does not stop the document names from being displayed during a search within the web site, it just means that the documents themselves cannot be viewed without the proper username and password associated with the directory.

There are a few reasons you might consider password protecting one of your directory areas.

• You have material you want to share within a department or group that you do not want seen by outsiders who land on your site during a search.
• You are an instructor placing class materials on the web for your students. A password will protect your materials from general access and only allow your students to see copyrighted materials that you are sharing through the fair use doctrine.
• You are developing a new web site and you do not want it viewed yet by the general public.

Note that, during a given connect session, once a user enters the correct username and password, he/she can continue to work with files in that site without having to re-enter the username and password each time. This username and password is used by everyone viewing your protected site; each person viewing the site does not have his/her unique username and password to see the documents on the protected site.

Note: you may follow the steps below to password protect a folder, or you can send an email to webhelp@ag.arizona.edu for help password protecting a folder on the College of Agriculture and Life Sciences' server.

These are the basic steps to password protect a directory:

Step 1: Create the directory area and set permissions to read the area

Step 2: Create a file called .htaccess in the directory you want to protect

In that file, type in these lines:

AuthUserFile /your/directory/here/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Document"
AuthType Basic

<LIMIT GET PUT POST>
require user username
</LIMIT>

For example, if you were going to protect the /usr4/test/private/ directory and you want the required name to be class239, then your file would look like this:

AuthUserFile /usr4/test/private/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Document"
AuthType Basic

<LIMIT GET PUT POST>
require user class239
</LIMIT>

Step 3: Create a file called .htpasswd in the same directory as .htaccess

You create this file by typing in the information below, at the system prompt, in the directory area to be protected:

htpasswd -c .htpasswd username

In the example above, the username is class239 so you would type:

htpasswd -c .htpasswd class239

You will be prompted to enter the password you want. The .htpasswd file will be created in the current directory and will contain an encrypted version of the password.

Step 4: Changing the password or username later

To later change the username, edit the .htaccess file and change the username.

If you want to later change the password, just retype the above line in step 3 and enter the new password at the prompt.

Step 5: Don't forget to change the permissions on the files.

After creating the password file (previous step) you will be sitting in the directory area which will be protected. Type chmod 755 .htpasswd and press Enter, and then type chmod 755 .htaccess and again press Enter. You have just made these two files readable.

For more information, see Understanding permissions on the Unix for details.

Be sure that the folder which contains these two files has been set at either 775 or 755 (so the folder is executable).

Step 6: If you receive an "Internal Server Error" message when you try to access your page/directory, check for typing errors in your .htaccess file

Step 7: To unprotect this directory area, delete the .htaccess and the .htpasswd files.

htpasswd is a program provided with the Apache webserver, that we have installed on the College's server. It allows our users to password protect web directories found on the CALS server. It creates and requires the files .htpasswd and .htaccess to password protect a directory from being viewed over the web.

These instructions relate to password protecting directories on the College of Agriculture and Life Sciences' server. If you are working on another system, you need to contact the technical support staff for that server.

It is possible to set up a protected directory that allows multiple users, if the possible usernames have been entered. Refer to this document on how to set up multiple usernames.