1. K-State home
  2. »DCM
  3. »Web Services
  4. »CMS
  5. ».htaccess notes
  6. »Restricting access to web pages

Restricting access to web pages

Web pages are normally available to anybody. However, access to web pages can be restricted by requiring a username and password.  The username can be:

  • Any K-State eID
  • A list of K-State eIDs
  • A shared ID unrelated to a K-State eID

All methods share some features:

  • It is best to collect restricted pages into a single directory that contains just restricted pages. Restrictions will apply to all files and subdirectories in the restricted folder.
  • Restrictions are controlled by a file called .htaccess that is placed in the directory to be protected.  The format of the .htaccess file is very specific; be careful when editing this file.

Restricting access to any K-State eID

Place the following lines in the .htaccess file.

   AuthType CAS
Require valid-user


Restricting access to people with a K-State eID and password is not the same as restricting access to K-State students and employees. Anybody can register for a K-State eID.

Restricting access to a list of K-State eIDs

Place the following lines in the .htaccess file.

   AuthType CAS
Require user eid1 eid2 eid3...

The list of eIDs is a blank-delimited list of K-State eIDs that are allowed access. Any number of eIDs may appear on the line.

Alternately, multiple lines can be used to list all users allowed access:

   AuthType CAS
Require user eid1
Require user eid2
Require user eid3

EIDs can be listed in any order. However, keeping the list alphabetic will aid in future maintenance.

Testing access restrictions

Testing access restrictions is complicated by the use of single sign-on.  After publishing the .htaccess file, if you view the protected page, you will likely be granted access without authentication -- because you are signed in already.

To verify the access restrictions are operating correctly, use a browser that is not signed in to K-State or use the private browsing feature of your browser.

Restricting access with a shared ID

For situations where security is not critical and non-K-Staters may be allowed access, a username and password may be used that is unrelated to a K-State eID.  The username and password must be distributed via email or other means.

Place the following lines in the .htaccess file.

   AuthType Basic
AuthName "Password Protected Area"
AuthUserFile "/var/www/www.k-state.edu/htdocs/path-to-site/userlist.txt"
Require valid-user

Where path-to-site is the path to the site's files on the web server. For sites on www.k-state.edu, this is just the pathname portion of the URL, down to the directory being protected. For example, if www.k-state.edu/dept/secure/ is being protected, path-to-site is dept/secure.

For other sites, contact webservices@k-state.edu.

The username and password are encrypted and listed in a file named userlist.txt. A variety of online password encryption facilities are available.  The encryption page created by Hosting Canada supports Bcrypt, which is supported in our hosting environment and is considered more secure than earlier encryption schemes.