Using this method, an individual will be prompted for a username and password when they go to your site. Remember, access is protected by directory so everything in that directory will be under the password restriction.

Keep in mind that this username and password to access your site will NOT be the NYU NetID and password combination—you will assign the usernames and passwords yourself. Create a unique username and password—it should not be the same as an individual's NetID.

This method requires two files: the file .htaccess and the file .htpasswd.

Note: There is no correspondence between the usernames and passwords used for accounts on the main web server and usernames and passwords in any specific .htpasswd file. A user doesn't need to have an account on the i4 system or on the main web server in order to be validated for access to files protected by this authentication.

Creating your .htaccess file

  1. Follow steps to create your .htaccess file.
  2. Customize your .htaccess file to include specific text to limit access based on a set password. Take note of specific instructions regarding the lines:
    1. AuthUserFile
    2. AuthName
  3. Create your .htpasswd file.
  4. Test your .htaccess file.

Customizing your .htaccess file

Note: The .htaccess file should be located in the directory which contains the documents to which you wish to restrict access. The contents of this version of the .htaccess file specifies the name and location of the second file, the .htpasswd file.

The text for your .htaccess file should be:

AuthUserFile /www/sites/nyu.edu/htdocs/path_to_site/.htpasswd
AuthName "Put Your Description Here"
AuthType Basic
require valid-user

Please note:

  • If there are extra spaces after AuthUserFile, the .htaccess restriction will not work.
  • If you have more than one word in the AuthName field, you must surround your text with quotation marks.

AuthUserFile

The AuthUserFile line contains the absolute path to where you will store the .htpasswd file. When creating this file on the main web server (via i4.nyu.edu), always begin with:

/www/sites/nyu.edu/htdocs/

That path is the root of the main web server's file hierarchy.

For example, if you wanted to restrict access to a portion of your website at:

http://www.nyu.edu/projects/mysite/private/

then the full pathname to this part of your site would be:

/www/sites/nyu.edu/htdocs/projects/mysite/private/

and that should be where your .htaccess and .htpasswd files live. If you're not sure what the full pathname to your directory is, use SSH to log into your i4 account, switch to your web directory and type the Unix command pwd (print working directory) from the command prompt. This will display the path to that directory. Please see our tutorial on Unix file permissions for more information.

AuthName

The AuthName line tells the browser to include a short description in its prompt when it asks for a password. You can put just about anything on this line, but ideally it should indicate something about the directory the user is about to log into. For example, if in the AuthName line you've put "My Private Site", that text would appear in the dialog box the user sees when they get to the restricted page.

Creating your .htpasswd file

After you've followed steps to create your .htaccess file, you'll then need to create a password file.

The file .htpasswd contains the password(s) of the user(s). You may choose to create only one user and one password, or you may choose to create specific usernames and passwords for various individuals. This is up to you.

  1. Log into your i4 account using SSH.
  2. Locate and change to the web directory you'd like to restrict access to.
  3. At the command line, type:
    htpasswd -c .htpasswd someuser

    for the first user (where someuser is the username).
  4. You will then be prompted twice for the user's password. Using the -c option with the .htpasswd command allows the .htpasswd file to be created.
  5. Then, for each additional user, you'll only need to type:
    htpasswd .htpasswd someuser

If you subsequently view the .htpasswd file, you'll see that it has the username first and then password for the user.

However, the password has been encrypted. For example, an .htpasswd file that allows access to users john, mary, and tim would look something like this:

john:NgFQ1vnnW/tJk
mary:Waquohh.OY3w
tim:EMt8amgnyuYD2

Make sure you remember the associated passwords!

Deleting a user

To delete a user from your password file, you can either use a Unix text editor (like vi) to edit the .htpasswd file directly, or use your SFTP program to download the file to your local machine and use a text editor to open the file. Delete the line that begins with the user's name.

You may need to change the file permissions on both your .htpasswd and .htaccess files to 644 or (rw-r--r--). This makes the file usable by the Web server, but prevents it from being read by a Web browser. Please see our tutorial on Unix file permissions for more information.

Remember to test out the restriction file to ensure that it is working correctly. Go to the URL of the part of your site that you've restricted and enter in the appropriate information combination. Remember, once you've logged in successfully, you'll need to quit and restart your browser in order to test again.

Testing your .htaccess file

Remember to test out the restriction file to ensure that it is working correctly. Go to the URL of the part of your site that you've restricted and enter in the appropriate information combination. Remember, once you've logged in successfully, you'll need to quit and restart your browser in order to test again.