1

I have an Apache server with password-protected web directory. That directory has a sub-directory, which requires another password, but anyone who can access the sub-directory should have access to the parent directory as well. That is:

  • /stuff - users "stuff" and "admin" allowed
  • /stuff/admin - only user "admin" allowed

So I've set it up that way in the Apache config:

<Directory "/stuff"> [AuthType Basic, AuthName, etc.] Require user stuff Require user admin </Directory> <Directory "/stuff/admin"> [AuthType Basic, AuthName, etc.] Require user admin </Directory>

This works in the sense that I can browse to /stuff and log in as either "admin" or "stuff". However, the pages in /stuff/admin references some images from the parent directory. I find that when I browse directly to /stuff/admin and log in as "admin" the browser still prompts me for another password to load those images. (I know it's the prompt for /stuff, because the AuthName value is different.)

How do I avoid this and allow a user who has access to /stuff/admin to just log in once (as "admin"), not twice?

Improve this question

4 Answers 4

Reset to default
5

The problem turned out to be the different AuthName value for the two directories. I thought that its sole purpose is to provide a meaningful prompt to the user. Having read the documentation again, it turns out it has another purpose: the browser will automatically try the same credentials for directories with the same AuthName.

So what was happening in my case was that after having authenticated to /stuff/admin the browser would request /stuff/something-else, it would get a "401 Unauthorized" response, but it wouldn't even try the same credentials. After I changed the AuthName to be the same it automatically responded to the 401 by retrying with the "admin" username that I previously authenticated with, which worked.

Improve this answer
1
  • +1, but this seems to be browser-dependent (worst on Firefox). I had this when using multiple .htaccess files, rather than the config file. AuthName fixed it. Commented May 25, 2014 at 14:42
1

Have you tried reversing the order of the stanzas in your htaccess so that the more specific case is first? This may affect the matching and solve your double prompting problem.

Another thing to check is if you can use Realms or Groups to simplify, perhaps to specifying that multiple containers use the same authentication backend.

This (AAA) is different between Apache and Apache2 so check what you have. Here are both sets of docs:

http://httpd.apache.org/docs/1.3/howto/auth.html http://httpd.apache.org/docs/2.2/howto/auth.html

hth,

adric

Improve this answer
1
  • Not quite, but you pointed me in the right direction: AuthName was the problem - see my answer. Commented Oct 3, 2009 at 1:29
0

I haven't tried it, but would it work to change them both to require valid-user and point the admin .htaccess to a group .htpasswd file which was the admin subset and the base directory .htaccess to a .htpasswd file with the larger superset?

Improve this answer
0

I believe when you list things on separate lines there is an implied "and". Try listing the users on the same line for an implied "or":

<Directory "/stuff"> [AuthType Basic, AuthName, etc.] Require user stuff admin </Directory>
Improve this answer
1
  • Thanks, but this didn't help - it still behaves the same. Commented Oct 3, 2009 at 1:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.