HTTP Authorisation Test Page

Return to Site Surgeon Homepage.

Select a Protected Directory

I have set up two directories which are protected seperately:

Staff Area

User name: staff-member

Password: coffee-and-biscuits

Student Area

User name: student

Password: burgers-and-chips

If you try to access these locations or any files inside them, it will display your browser's default prompt for entering authorisation details. Various online systems use this prompt to protect their content from unauthorised users. If you enter the incorrect details, the server response with a "Error 401: Authentication Required" status page.

I use custom status pages on Site Surgeon and can make them for other projects.

How it Works

When a user requests to access any part of a website:

1. The server looks at the request.
2. If the request is for a resource in a protected area it will check if this user is authorised:
   1. If they are:
      1. The resource is sent to the user.
   2. If they are not:
      1. The server sends an instruction to the browser to display an authorisation prompt.
      2. The user returns their details using the prompt.
      3. The server checks if they match the details required to access that resource.
3. They they do match then the resource is sent to the user and they are authorised to access other resources in that area. If they do not match then the user is sent the "Error 401: Authentication Required" status page instead of the protected resource.

How it is Done

I set this example up using cPanel server management software, which simply provides a nice interface for using common features of Apache Web Server. Apache is by far the most common server system in use worldwide, making this system fairly easy to implement for any project.

Folder Configuration File

A special file called .htaccess is created in the protected folder. For the Student Area it contains this data:

AuthType Basic
AuthName "Staff Area"
AuthUserFile "/home/ben/.htpasswds/!dev/http-authorisation/staff/passwd"

require valid-user

What this data means:

AuthType Basic

Assessment of the user's details will use a normal method.

AuthName "Staff Area"

Browser prompt will be told to use the text between the quote parts (") when describing to the protected resource in its authorisation prompt.

AuthUserFile "/home/ben/.htpasswds/!dev/http-authorisation/staff/passwd"

Sets the location of the valid user names and passwords for this area.

require valid-user

Users who enter invalid details will be rejected to the "Error 401: Authentication Required" status page.

Password Configuration File

Another special file is created in a special system directory of the server. This area cannot be accessed publically to improve security. For the Student Area the file was created here:

/home/ben/.htpasswds/!dev/http-authorisation/staff/passwd

The contents of this file are:

student:pNfn.4dMNE/76

What this data means:

student

An authorised user name.

:

The colon character (:) is a seperator between user name and password.

pNfn.4dMNE/76

Encrypted form of the "burgers-and-chips" password. Being stored like this further improves security.

If several users should have access to the area, each user is placed on a new line.

Bibliography

I used Monash Unversity's HTTP User Authentication notes to understand the physical details of the server configuration.