Reputation: 2921
Directory protection asking for password twice on my https website?
I am trying to protect my website with a directory protection code. The website is in PHP.
My website has https and it is like https://www.example.com.
When I Open the website it is asking for username and password twice. I think it is taking once for http and once for https.
Can anyone please help me how to solve this problem.
Below is my .htaccess file code
options -multiviews
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^example.com$ [NC,OR]
RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
</IfModule>
AuthType Basic
AuthName "example.com"
AuthUserFile /www.example.com/web/content/.htpasswd
Require valid-user
<IfModule mod_security.c>
# Turn off mod_security filtering.
SecFilterEngine Off
# The below probably isn't needed,
# but better safe than sorry.
SecFilterScanPOST Off
</IfModule>
Thanks in advance for any help.
Upvotes: 3
Views: 4561
Answers (1)
Reputation: 785146
You're getting authentication dialogue twice because Apache runs mod_auth directive before mod_rewrite directive. Also authentication session set in HTTP URL isn't valid in HTTPS URL anymore therefore it Apache has to follow the BASIC auth directive under HTTPS as well.
There can be some work-around type solutions to skip BASIC auth for http URL and do it only for HTTPS but it is not straight forward.
UPDATE: Here is a workaround solution that you can use to avoid showing BASIC auth dialogue twice.
RewriteEngine On
RewriteBase /
# redirect to HTTPS and set a cookie NO_AUTH=1
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,CO=NO_AUTH:1:%{HTTP_HOST}]
# If cookie name NO_AUTH is set then set env variable SHOW_AUTH
SetEnvIfNoCase COOKIE NO_AUTH=1 SHOW_AUTH
# show Basic auth dialogue only when SHOW_AUTH is set
AuthType Basic
AuthName "example.com"
AuthUserFile /www.example.com/web/content/.htpasswd
Require valid-user
Order allow,deny
allow from all
deny from env=SHOW_AUTH
Satisfy any
Since cookie is only set for http://domain.com therefore env variable is also set only once and BASIC auth dialog is also shown only once.
Upvotes: 4
Related Questions
- htaccess doesn't work - always wrong password
- .htaccess Password protection keeps asking for password over and over
- password protect website with .htaccess and .htpasswd - error - "Could not open password file:"
- Password protection in .htaccess doesn't ask for password
- .htaccess requests correct login twice with .htpasswd and wordpress
- .htaccess keeps asking password at every request
- .htaccess password protection not working with ErrorDocument 401
- htaccess password protection not working
- Password Protected on .htaccess
- htaccess password protected directory and mod_rewrite RerwriteCond