How do I restrict access to my website with usernames and passwords that I manage?
Note: If all of your users have PennKeys, please consider the more secure and much simpler approach using Penn Weblogin.
The HTTP Basic Authentication method allows you to restrict access to areas
of your website by managing your own usernames and passwords. Use this approach
if you need to restrict access to users who do not have PennKeys and/or want
the convenience of sharing a single username and password among users. It is
available on all domains via HTTPS (such as
To use HTTP Basic Authentication on SEAS servers, you'll need to create two
.htpasswd, in the folder you
want to protect.
Using your favorite text editor, create a
.htaccess file in the
directory you want to secure with contents similar to this:
AuthName "Restricted Area"
The path to the password file after
AuthUserFile follows this format:
If you've created the file on your local machine, transfer it to the directory you want to protect. See How do I transfer files to a SEAS account? for more information.
Now log into the command line on
eniac.seas.upenn.edu. Navigate to the directory you want to protect that
.htaccess file. Run the
command with the
-c option to initialize your
.htpasswd file. It will create the file if it doesn't exist or
replace all of the contents in an existing file with the specified
user. In this example, the file is initialized with the user
"cliff" (use whatever username you want):
htpasswd -c .htpasswd cliff
Enter a password for the user at the prompt.
Make sure both your
are readable by the web server. SEAS has provided the
command to give the web server read access to files or directories while
preventing other accounts from seeing them.
Warning: Do not use the
chgrp-httpd command if you are protecting files in your
webdav directory. A scheduled task periodically sets these
eniac.seas.upenn.edu and run these commands (using the
protected directory as an example):
Note: it is not advisable to use the chgrp-httpd script if you are protecting files in your CGI directory. Instead, chmod the protected directory to 711.
Your password protected site should now be available:
Replace username with your SEAS account name and protected with the directory you created.
Important: An encrypted connection is mandatory. Protected directories must be accessed via HTTPS or an error will be returned.
How do I change passwords or add new users?
To add more users or change the password for an existing user, simply run
htpasswd without the
-c option. In this example, a
new user, "eric", is added:
htpasswd .htpasswd eric