Password Protection

Password protecting directories using .htaccess files

(*Note the warning below.)

You can create password-protected directories on the webdocs system using .htaccess files.  There are two options, one where users use their CSID to authenticate (i.e., their CSID is their username), a second where you create your own username and password.   Here are the two templates:

  1. Using CSID authentication
    AuthType Basic
    AuthBasicProvider ldap
    AuthName "Please login with your Computing Science Identifier (CSID)"
    AuthLDAPURL "ldaps://ldap.cs.ualberta.ca:636/cn=Users,dc=cs,dc=ualberta,dc=ca?uid?sub?(objectClass=*)"
    <Limit GET POST >
    Require User CSID
    </Limit>

  2. Using custom .htaccess/password file combinations
    AuthType Basic
    AuthName "Please login with your username and password"
    AuthUserFile /compsci/webdocs/your_CSID/htpasswd
    <Limit GET POST >
    Require User username
    </Limit>

Creating a authentication user file

To create the file initially
htpasswd -c password_file_name username

You will then be prompted to enter the password for the username you specified on the command line. For adding subsequent users simply remove the -c option from the command line and give the path to the password_file_name used above.
htpasswd password_file_name username

Once you have created your password file and added your users you need to copy this file to the webdocs samba server. It is recommended for security reasons that you place this file one level up on the samba server e.g. instead of placing it in CSID/web_docs place the password file in CSID/. The webserver on webdocs is configured to not serve files out of the directory preventing malicious users from getting the password file and running dictionary attacks on the file to retrieve the plain text of the users password.  

Reminder: All directories or orientated from the server side as /compsci/webdocs/CSID so in your .htaccess file the AuthUserFile directive should be e.g. /compsci/webdocs/CSID/htpasswd.

Security using .htaccess files

Warning: When you link to a document that is in a directory protected by a .htaccess file you should always use https as the protocol part of the URL (ie. https://webdocs.cs.ualberta.ca/~CSID/protected/foo.html). If you fail to link to it over the encrypted SSL connection, the user's password will be delivered in the clear, meaning it can be intercepted by a third party, compromising the password and "secured" documents.  You also need to ensure your permissions are correct.  Please contact the CS Helpdesk if required; you will be directed to a TST staff member who can assist you.

It is not possible to work around this problem with redirects as the password will be sent in the clear before the server delivers the redirect (at which point the password is already compromised).

TST monitors connections to and from our servers looking for passwords transmitted in the clear. If a CSID's password is found in the clear, we abuse the account immediately and request the user visit the helpdesk to change their password. We may also disable access to the linking page on webdocs to prevent further users from sending their credentials in the clear.