Steps for Creating a Password Protected Area on a USPS Website


The following procedure will guide USPS webmasters through the process of creating a password-protected area using htaccess on USPS websites. The procedure creates a simple password protected area where everyone accessing the area uses the same password. Only those with the logon and password will have access to information placed in the protected area.

The htaccess application is very powerful and contains many configurable options that will meet most authentication, authorization and access control needs. Webmasters wishing to use htaccess functionality beyond the simple password access provided in this procedure can obtain further documentation at the following links:

http://httpd.apache.org/docs/howto/auth.html
http://apache-server.com/tutorials/ATusing-htaccess.html
http://httpd.apache.org/docs/mod/core.html#acceptfilter

While the basic authentication in htaccess is very robust, it does have weaknesses that can be exploited. Although the password is stored on the server in an encrypted format, it is passed from the client to the server in plain text. Anyone listening on the network with a packet sniffer will be able to read the username and password in the clear as they go across. In addition, the username and password are passed with every request, not just when the user first types them in. Fortunately, very few hackers have the ability to intercept a password as it is being sent across the network and USPS websites should not have anything on them requiring stronger protection. Your users, however, should be encouraged to use a different password on your web site than they do for other more essential things.

While every effort was made to keep this procedure simple, it does assume that the user has basic computer knowledge. Read the whole document thoroughly before attempting to do anything. Your website may become unusable if you are not careful. If you do not understand any of the instructions, do not proceed further without obtaining additional assistance. Double-check everything you type. Mistyped characters will cause problems.

This procedure is for computers running the Windows operating system and uses WS_FTP and PuTTY. Both of these applications can be obtained from the ITCom website at the following URL:

http://www.usps.org/national/itcom/html/internet_tools.html

Remember that all files and commands on the USPS server are case sensitive, i.e. MyFile is a different file than myfile.

STEP 1 - Before using WS_FTP to connect to your web area, write down the information that appears in the Host Name / Address field).

STEP 2 - Using WS_FTP, connect to your web area on the USPS server.

After you FTP to your website, you are connected to the main web document directory of your site. The path to this directory should be displayed above the list of files and should look similar to one of the following:

/web/webroot/localusps/squadronname (for squadrons and districts)
/web webroot/national/committeename (for national committees).

STEP 3 - Write down the path to your web area. The remote FTP window will display a list of files and subdirectories used by your website.

STEP 4 - Using the MkDir button in WS_FTP, create a new directory called member as a subdirectory of your main web document directory.

STEP 5 - Using the MkDir button in WS_FTP, create a new directory called _logins as a subdirectory of your main web document directory (note the underscore before the word "logins".)

The web directories and files on your local computer should mirror your web directories and files on the USPS server; therefore, you should also create both of these new directories on your local computer as sub-directories of your main web document directory.

STEP 6 - Copy and paste the following information to a new Notepad document. In Notepad, correct the Italics in the AuthUserFile path below to match the path you saved in Step 3. You can also change the information in Italics following AuthName to whatever you would like to call your protected area (this information is displayed when the logon and password dialog box is displayed.)

AuthUserFile /web/webroot/localusps/squadronname/_logins/.htpasswd
AuthGroupFile /dev/null
AuthName "Squadron Member Area"
AuthType Basic

require valid-user


There should be no blank lines before the configuration information. The proceeding configuration file can be used to get your password-protected area up and running. Later, you may wish to provide your own error page instead of the generic "unauthorized" error page. You can do this by adding the line shown below in bold to your configuration file (this provides a way of providing your users with directions on how to obtain access.) Be sure to change the ErrorDocument path information shown below in Italics to match the underlined portion of the AuthUserFile path.

AuthUserFile /web/webroot/localusps/squadronname/_logins/.htpasswd
AuthGroupFile /dev/null
AuthName "Squadron Member Area"
AuthType Basic

ErrorDocument 401 /localusps/squadronname/errorpage.html

require valid-user

If you include the ErrorDocument 401 line, you must also create a new web page that explains to your users that they did not enter the right login and password to enter the protected area. Name this page errorpage.html and place it in your main web document directory.

STEP 7 -Save the configuration document as .htaccess on your computer in the new member directory (be sure to include the period before the name.) Notepad may save the file as .htaccess.txt. If it does, rename it to .htaccess (without the .txt) using either W S_FTP or Windows Explorer.

Any file stored in the directory that contains the .htaccess file (the member directory in our case) will require a login and password before it can be accessed. Therefore, any webpage, graphic or document placed in the member directory will be protected. All subdirectories of the member directory will also be protected. Any file not stored in the member directory, or a subdirectory of member, will not be protected.

STEP 8 - Use WS_FTP to FTP the .htaccess file to the member directory of your website on the USPS server. You probably won’t be able to see the file immediately since files that start with a period are considered hidden files. On WS_FTP, the white box located between the MkDir button and the View is called the File Mask Text Box. If you type -a in the remote site File Mask Text Box, WS_FTP will display hidden files located on the USPS server. After typing -a in the remote File Mask Text Box, click the Refresh button and the .htaccess file should now be displayed.


We are now approaching the tricky part of the procedure. In order to create a password file our protected area, we need to actually execute an application on the USPS server. The USPS server is a UNIX (Linux) server. UNIX commands are different from the commands used on other computers. Be sure and type the UNIX commands exactly as they appear (they are case sensitive.) WS_FTP can only move files to and from the server, it can't execute applications on the server. Therefore, we need to use PuTTY. PuTTY with SSH is used because it is more secure than TELNET. When you extract the PuTTY archive, you will find several files included in the archive, use the putty.exe file. You will need to know the logon ID and password that you use in your FTP program to gain access to the USPS server. The following are the UNIX commands we will be using:

cd [new directory] change to a new directory
cd .. change to a directory one level up
ls show current path
ls -a list all files (including hidden ones)
pwd show current path
rm [file name] delete a file or directory
cp [source file] [dest file] make a copy of a file with a different name

STEP 9 - Start the PuTTY application and place the information saved in Step 1 in the Host Name (or IP address) field (currently 168.143.168.169) and be sure that the SSH radio button is selected. Select Open to run the application and a new window will open. You will see a message "Welcome to the USPS server".

STEP 10 - Following the opening message, you will see the Login as: prompt. Carefully type the login your use to access your web area with FTP (remember it's case sensitive) and hit enter.

Next, you will see the password: prompt. Carefully type the password you use to access your web area with FTP (remember it's case sensitive) and hit enter.

STEP 11 - The path to the current directory will be displayed in the title bar of the window. If it is not the same path that you saved in Step 3, type the following command (do not include the brackets): cd [path from Step 3] and hit enter, otherwise proceed to Step 13..

STEP 12 - Type pwdand hit enter.

The path of your main web document directory (from Step 3) should be displayed in the window.

STEP 13 - Type cd _logins (remember the underscore) and hit enter.

The prompt should now show that you are in the _logins directory (the pwd command will display the full path to your current location.) If you are not in the _logins directory, go back to Step 11.

STEP 14 - Type the following command to create a new password file (you must be in the _logins directory): /usr/bin/htpasswd -c .htpasswd [username] where username is the username you want to use (do not include the brackets.)

STEP 15 - You will be prompted for a New password: (this is what you want the password to be for the username entered in Step 14.)

You will be prompted to Re-type new password: (retype the password exactly as you did at the first prompt.)

Type the following command: ls -a and the .htpasswd file should be displayed.

STEP 16 - Close the PuTTY application

STEP 17 - With -a still in WS_FTPs remote Mask Text Box, the .htpasswd file should be displayed in the remote File List Box when you are in the _logins directory. Use FTP to select and copy the .htpassed file from the _logins directory on the remote server to the _logins directory of your local computer. This will give you a backup copy of the password file if there is every a problem on the USPS server. If you select the .htpasswd file and choose View, you should see something like the following displayed:

[logon]:AlTHoddldlmaY

Login is the Login ID you selected and the characters after the colon are the encrypted password.

In the future, Steps 9 - 17 can be repeated whenever you feel it is necessary to change the login ID and password. The new .htpsswd file that is created each time will replace the previous password file (remember, the new file will be created in the directory that you are currently in.)

Your new password protection should now be in place. Create a new webpage called index.html and save it to your member directory. This file is different from the index.html file in your main web document directory. By using a file called index.html in the member directory, you can access the member area by just typing the directory name (member) instead of having to type the directory name and a file name. The other files in your password-protected directory can be called whatever you want.

Type the URL for your member area ( i.e., www.usps.org/localusps/squadronname/member) to see if you are asked for a login and password before being given access. If your password protection doesn’t work, check your configuration file carefully for typos. Some java script files have been known to cause problems with htaccess, so you might try removing them if things still do not work.

Here are some final reminders. Any files placed in the member director (or its subdirectories) will be protected. Any files not in the member directory (or its subdirectories) will not be protected. Since the htaccess application runs on the USPS server, there will be no password protection on your local computer. Finally, once you have correctly entered your login ID and password, you will not be asked for them again in the same browser session (you can go back and forth between protected and non-protected pages without being asked for them again.) Once you restart the browser, however, you will again be asked for your login and password.

Please report any areas of confusion or problems to jwill@voyager.net.

Good Luck!
Privacy | Trademarks | Disclaimer | Contact | ©2006 United States Power Squadrons