.htaccess-style security: You can setup your web directories to require userids and passwords for access to web objects in them. When properly setup, the web server will request a userid and password from the web browser. The web browser in turn requests this information in a pop-up window; after you provide the information, the browser remembers the userid & password for the duration of the session and supplies them to the web server each time you access protected objects. THIS MEANS THAT YOU NEED TO EXIT YOUR BROWSERS WHEN YOU HAVE FINISHED USING THEM. OTHERWISE, HACKERS CAN CONTINUE TO USE YOUR BROWSER TO ACCESS PROTECTED OBJECTS WITHOUT HAVING TO SUPPLY A USERID AND PASSWORD. You can create many different arrangements, where individuals may be able to access directories without a userid/password combination, a particular userid/password combination to access a particular directory, and a different combination to access a different directory. The basic procedure is as follows: 1. You "create" a userid in a special password file. The command is: /www/httpd/support/htpasswd [ -c passwordfile ] userid The "[ ... ]" are optional and specify the name of the password file which is to be created--this is normally done once only. This password file can reside anywhere the web server can see it and is normally called ".htpasswd". I'd recommend putting it in ~/public_html. The htpasswd program will prompt you twice for the password of the new user you are adding. The .htpasswd file looks like this after two users have been added: drs8h:NijEBcC2UX7XQ drs8i:2KQuglF10vI4s 2. In the directory you want to protect, create a .htaccess file. This file looks like this: AuthUserFile /home/drs8h/public_html/.htpasswd AuthGroupFile None AuthName ByPassword AuthType Basic require user drs8h drs8i Note that AuthUserFile specifies an ABSOLUTE path to your password file. Also note that not every .htaccess file you create has to allow every user defined in your .htpasswd file access to that particular directory. You can select just a subset of users (including none, which would be a way to stop a web server from reading a particular subdirectory under public_html (permission bits being the other)). 2b. If you are running under a Netscape Commerce Server (NCS) (instead of NCSA's HTTPD server), a different filename and file format is required. 1st, the NCS must be configured to use this type of security control contact your System Administrator to make sure it's turned on. Then create the appropriate file (usually, it's ".nsconfig") in the directory you want to protect. The format of that file is: RequireAuth userfile=/fullpath/to/.htpasswd realm=NCS userpat="(user1|user2)" There is a userlist keyword which does not currently work. Note that the same NCSA password file can be used under an NCS as is used under an NCSA HTTPD server. The same utility (/www/httpd/support/htpasswd) can be used to build it. A DBM (keyed-index) password file can be used instead, but for small numbers of users, it isn't worth the trouble. 3. You can also create groups by using a .htgroup file. The .htgroup file can reside anywhere the web server can read files (I'd recommend public_html) and looks like this: class1: drs8h class2: drs8i all: drs8h drs8i A .htaccess file which uses this group file looks like this: AuthUserFile /home/drs8h/public_html/.htpasswd AuthGroupFile /home/drs8h/public_html/.htgroup AuthName ByPassword AuthType Basic require group all Like AuthUserFile, AuthGroupFile must specify an ABSOLUTE path here. The above file would be for access to public_html; a subdirectory called "class1" could have the following (different) .htaccess file: AuthUserFile /home/drs8h/public_html/.htpasswd AuthGroupFile /home/drs8h/public_html/.htgroup AuthName ByPassword AuthType Basic require group class1 In other words, drs8h and drs8i can access public_html (with the correct password for each) but only drs8h can access public_html/class1