OIT Tech 32px

Personal Web Pages


Creating pages | Transferring pages | Quota | Using pages | Site go-live | Restricted pages | Assistants


Spring, 2016, Changes

"Clickjacking", also known as a "UI redress attack", is when a malicious website uses opaque layers to deceive a user into clicking a button or link that takes them to a page different than what the button or link indicates they will be taken to. Thus, the "click" is being "hijacked" which is the root of the description "clickjacking".

A similar technique allows keystrokes to be hijacked. Using a combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

To help prevent this from happening to guests of the Ohio University website, we have implemented a practice that prohibits, with few highly controlled exceptions, content from resources on Ohio University websites being displayed on servers outside of the www.ohio.edu domain. Thus, if you have a personal website that is hosted on an outside hosting provider, and you were displaying content from your university provided personal web space on that website via I-Frame or other means, it may no longer display properly.

No Clickjack








These remaining changes were originally planned for late 2015, but have been postponed. Any remaining references to 2015 should be taken as referring to early 2016.

In order to reduce the risk of "man-in-the-middle" attacks, we are shifting all Front Door resources from standard ("plaintext") to secure ("encrypted") serving. The transition for personal web pages is now in-progress, with cut-over planned for spring semester. In addition to changing the way we serve the pages, we are also shifting the terminology we use, as shown in the tables:

Pre-2015 Terminology
data transfer type access control
  no restriction password-protected
URL starts http
"public" [not done]
URL starts https
[not done] "secure"


Post-2015 Terminology
data transfer type access control
  no restriction password-protected
URL starts http
[not done] [not done]
URL starts https
"public" "restricted"


There will be no changes in the authoring process for your public web pages: they will continue to be uploaded to the server just as and where they have been. Their URLs will change from http://www.ohio.edu/people/OhioID/ to https://www.ohio.edu/people/OhioID/, but the Front Door will be configured to automatically redirect any browser request for an old URL, so that the browser will ask for the new URL of that item; hence, no links to public resources will be broken.

For password-protected (restricted-access) web resources, the URL will change from https://www.ohio.edu/people/OhioID/ to https://www.ohio.edu/people/OhioID/restricted/  — unfortunately, this change cannot be addressed by an automatic redirect. You must update external links leading to such items, and may be required to change internal links, image references, etc., depending on the details of the HTML code currently in use. Until the cut-over, your existing restricted-access items will continue to be located where they have been (so that there will be no change in authoring, beyond what you do to prepare for the cut-over); they will be served from their old URLs; and you will be able to build and test the new incarnation of your restricted-access resources, so that few, if any, links will be broken after we cut over to the new arrangements. After the cut-over, uploading new restricted-access items will be simpler than it has been.

We have revised this user guide accordingly. (Some parts are fully updated; all parts that will be different after the changes have comments identifying that fact.) If you have any questions, please ask.



You are eligible to publish a personal website through the university's "people2" system if you fall into any of the following categories:

  • Current students
  • Current employees
  • Retirees
  • Former students and alumni - for a limited time after leaving the university
  • Former employees - for a limited time after leaving the university


File Locations on the Server

For brevity, we will use "people2" to refer to the server to which you upload your personal pages. People2 is not the server used for organizational pages or academic and administrative departmental pages, even though the world sees them all as part of www.ohio.edu, the Front Door server.

The people2 server publishes personal pages of current students, current employees, retirees, and — for a limited duration after they leave Ohio University — former students (including alumni) and other former employees. You may not be able to modify your pages during the grace period after you are no longer eligible before your old files are deleted from the server.

On the people2 server, there have been separate folders for the public and the secure subsites, within each of which there is a folder named, "people," and within those folders there is a folder for each person. The file locations on people2 are summarized in the following illustration, which shows the arrangements before, during, and after the transition:

Block diagram for people2 transition

The public items will continue to be stored on the server in the same locations throughout the 2015 transition. Each author will copy any existing restricted-access items to a new folder named "restricted" inside the individual's folder inside the "people" folder, inside the "secure" folder, as shown in the lower-center portion of the diagram, above. From there, these new copies will be served with their new, long-term URLs, and they can be proofread and tested to confirm that they display correctly and that links among them work correctly. The original files will remain in place for the time being, ensuring that all existing links continue to work. When we cut over to all-secure serving, that "restricted" folder will be moved (not copied) into the individual's personal folder on the "public" side, and the server configured to enforce the existing password-protection from that location. The original secure files will no longer be served through the web, but will be available to the author by SFTP for archival reference (for a limited duration).

If your primary personal home page is on any other server, we do encourage you to go through the process outlined here (on people2), creating a simple home page named index.html that contains a link to your primary home page.

Personal pages fall into two categories: those that are under the control of the individual, and those that are not. If in doubt about which category any of your pages falls into, please contact University Communications and Marketing for clarification and guidance.

If an employee's personal site includes work-related information whose content is not under the control of that employee (i.e., if the content is the result of agreement between the employee and others, or if someone else is in a position to tell the employee what to put on the page -- e.g., instructional materials that a faculty member maintains for use by multiple instructors), then those pages are generally official, should be marked at the bottom of the page as being copyright by Ohio University, and should include the Ohio University logo signature graphic in the upper-left corner. If that is done, then both the logo graphic and the words, "Ohio University," in the copyright statement should be linked to the Front Door, http://www.ohio.edu/.

All personal pages that are under the control of the individual are unofficial, must not assert copyright by Ohio University, and must not use any official logo graphics, unless specific permission has been granted (e.g., by University Communications and Marketing for any variation of the Cutler Hall woodcut, or by Intercollegiate Athletics for the Attack Cat). It is entirely appropriate for any personal page, and especially appropriate for your home page, to have a reciprocal link to the Front Door. See the "Rules" section of http://www.ohio.edu/web/organizations/rules.cfm for the detailed specifications for reciprocal links to the Front Door. Those specifications apply to all categories of pages, not just student organizations.


Creating Your Personal Directories and Pages

The first step, normally done one time only, is to create your personal subdirectories ("home folders"), one for public and one for secure pages on people2, and then to apply the appropriate security settings. You will not be able to connect by SFTP to transfer your files, as documented in the next section, until after you have completed this step.

A separate page provides the step-by-step instructions to accomplish this task.

You are free to use whatever software you prefer to create your web site files on your personal computer. You may edit the HTML directly (e.g., with TextEdit on a Macintosh or Notepad on Windows); you may choose to "save as HTML" from a general word-processor or page layout package; or you may use a free or commercial web site authoring tool (e.g., Brackets on Macintosh, Notepad++, or Adobe Dreamweaver on Windows or Macintosh).

Once you have prepared your site files, you should proofread them from your disk drive, using at least one regular browser, before you transfer them to the server for others to see.


Transferring Files

There are three prerequisites to transferring your files according to the instructions below:

  • You must have SFTP software installed and configured with the correct preferences settings, as described under the appropriate "Install" link to the left.

  • You must have created your public and secure home folders, as described under the "Provisioning Steps" link to the left.

  • You must have your web site files in place on your personal computer. If you had an old personal site on OAK, but don't have those files on your personal computer, contact servicedesk@ohio.edu: we may still have the archived copies from just before OAK was decommissioned.

Once all three of those are done, then you can transfer your web files to people2 by Secure FTP:

  1. Connect to people2.ohio.edu with SFTP, using your own Ohio ID and password; you must have changed your password since October 1, 2007.

    • The full step-by-step instructions for using Fetch do apply to pages published through people2.

    • The full step-by-step instructions for using FileZilla do apply to pages published through people2.

    • Both sets of full step-by-step instructions include more detail and specifics to supplement the outline instructions in steps 2 through 5, immediately below.

    • If you are using some other SFTP software (e.g., using a Linux desktop system, or using the internal uploading features of Dreamweaver), then it will be useful to know that the server's full specification for the standard default location after connecting is
      Some software may require that you include the final slash; other software may require that you omit the final slash; and other software may require the use of forward-slash instead of back-slash.

    • Do not name a first-level folder within your public resources "restricted"; that name is reserved and will be used only for password-protected resources; see step 4, below.

  2. Once the SFTP connection is completed, you will be in the "people" folder inside the "public" folder, and will see an alphabetically sorted list of the Ohio ID-named folders for the people who have already provisioned their public personal subsites.

  3. For now (until the 2015 fall cut-over described at the start of this page), if you want to work on your password-protected (restricted-access) pages, then:

    • navigate "out" or "up" two levels (to look at the contents of the "people2.ohio.edu" folder, where you will observe both the "public" and the "secure" folders);

    • open the "secure" folder;

    • open the "people" folder that is inside the "secure" folder;

    • observe the sorted list of Ohio ID-named folders for the people who have already provisioned their secure personal subsites.

    • If you are using some other SFTP software (e.g., using a Linux desktop system, or using the internal uploading features of Dreamweaver), then it will be useful to know that the server's full specification for that location is


      Some software may require that you include the final slash; other software may require that you omit the final slash; and other software may require the use of forward-slash instead of back-slash.

    See also the discussion of Restricting Access, below.

  4. Scroll down to the folder whose name is your Ohio ID.

  5. Open your folder and get to work.


Disk Quota

If you attempt to upload a file that would exceed your disk space usage quota on the server, the server will refuse to accept the full file, but may well accept part of it. Either way, your SFTP software will display one or more error messages. Those messages differ among the various SFTP packages, so they are not documented here; see the step-by-step instructions, linked in step 1. A failed attempt to upload a folder full of files may create a folder with multiple partial files. You should delete any incomplete files as the first step of your recovery from this problem, to ensure that no one invests time (and network bandwidth) downloading broken files. When disk quota has been exceeded, file deletion may well be unusually slow.

You will be notified by e-mail when you approach and again when you reach your disk space quota, but of course the latter note will arrive a few minutes after the event, so it will just confirm the nature of the problem you will already have seen in your SFTP session.

The disk space quota is enforced for each top-level folder. Thus, if you are authorized to work on more than one subsite (e.g., on your own pages and also on someone else's pages — as an assistant pagemaster), the files you upload for one subsite will count against the disk quota for that subsite only. Working as an assistant pagemaster for someone else's subsite will not reduce the space available to you for your own pages.

Disk space on the server is not free; furthermore, maintaining accurate backup copies of the data for disaster recovery requires equipment and labor. That said, the primary value of disk quotas is to prevent one person's broken SFTP process from consuming the entire drive, blocking everyone's updates. If you need more disk space, please let us know. There may later be a self-service application to deal with such requests; if so, if will be linked from here. In the meantime, we will deal with such requests manually, so please let us know by e-mail to servicedesk@ohio.edu.

During the fall of 2015, those who already have secure subsites in place will receive an increase in their disk space quotas for both public and secure folders: the extra secure folder space will allow testing of the updated files in the new "restricted" folder, and the extra public folder space will allow moving that "restricted" folder during the cut-over. This paragraph will be updated when those increases are all in place.

If you were planning to use your personal web space to share large files with collaborators, please be aware that OIT also offers other services specifically designed with this need in mind (e.g., Filelocker).


Using Your Web Files

Once your files are in place on people2, they will be visible to the world with URLs similar to

http://www.ohio.edu/people/piccard/index.html (pre-2015-cutover)

https://www.ohio.edu/people/piccard/index.html (post-2015-cutover)

where your own Ohio ID will be between the "people/" and the following slash. See the section, "Restricting Access to Your Web Pages," below, for a discussion of the URL for your restricted pages.

The first time you upload files to people2, you should promptly look at them with your browser, to confirm that they are intact. Be sure to look at a web page that contains an image that is yours, and be sure to scroll all the way down to the bottom of the web page; if both HTML and image files uploaded correctly, it is very likely that all files uploaded correctly.

Any folder in the /people/ subsite, including your home folder, that does not contain a file named, "index.html," nor one named, "index.htm," will display a server-generated list of links to every file and folder that it does contain; see, for example http://www.ohio.edu/people/, itself. When we provision your public and secure home folders, we do not place a generic index.html file into either of those folders. This makes it simpler for people with carefully chosen file names to just upload their files for people to see. Not linking to a file doesn't conceal it — unless you also ensure that the folder contains its own index page. Furthermore, such "security by obscurity" doesn't prevent people from seeing any file on your public site: if they somehow learn or guess the filename and type in the URL, the server will show it.


Site Go-Live

As soon as you are satisfied with your site on people2, you should make it easier for others to find it.

A separate page provides step-by-step instructions to accomplish this task.


Restricting Access to Your Web Pages

This feature is now activated on the people2 server; there are no known problems; but please do confirm that the restrictions you intend are working correctly, and report any problems you encounter.

You can restrict access to your Web pages, permitting only those people whom you authorize to see your pages. Until the impending cut-over (in late fall, 2015) all pages in your secure folder are subject to password-protection, but you should only place new items into your "restricted" folder, and you should be moving any older items into that folder, too. After the cut-over, your "restricted" folder must live inside your public folder. We will move it from the old location to the new one as part of the cut-over processing. Do not place a folder named "restricted" into your public folder: the contents won't be password protected yet, and its existence may obstruct the cut-over processing.

The details for establishing the various possible forms of access control are in http://www.ohio.edu/oit/webservices/people/accesscontrolsteps.cfm.


Assistant Pagemasters

If you want to authorize one or more other people to update your personal web presence (e.g., teaching assistants working with a professor's online instructional materials), please do not tell them your password! Instead, let us know the details: we have configured the people2 server so that we can readily add and remove assistant pagemasters for each person's subsite. We may later have a self-service application that you would use for this purpose (if so, it will be linked from here), but for now we will be doing these changes manually, so just send an e-mail to servicedesk@ohio.edu.