htpasswd is bypassing when click cancel - apache

in my htaccess I have below code which is used to save admin* area.
If I give wrong username password it keeps poping up for correct usrename but if I press cancel I can see my restriced area instead loading error page, what is wrong? thanks
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/mydirectory/.htpasswds/.htpasswd
AuthGroupFile /dev/null
<Files admin*>
require valid-user
</Files>

Your .htaccess doesn't protect for anything else than admin*.
If you have auto index option enabled for example, it doesn't match the pattern (but having DirectoryIndex set to adminindex for example do so).
Maybe the authentication prompt is related to a resource needed by the page (JS, css, image, favicon) and not the page itself.
Could you try to inspect HTTP response using curl or apache logs ?
This might give you a hint.
curl -vso/dev/null http://localhost/test/

I had this same issue. For me the problem was a RewriteRule in the htaccess folder in a directory above the one that was password protected.
I resolved my issue by adding RewriteEngine off to the top of the htaccess in the folder I was password protecting.

I found that this behavior occurred when .htaccess was present in the parent directory but not in the actual directory being accessed. Placing another .htaccess file in the directory being accessed stopped this behavior.

If you're using wordpress, it's a known issue. Solution here

Related

htaccess and htpasswd protect a root subdirectory

I know this is a common question, but I just can't figure out how to do it.
After many unsuccessful attempts, dozens of tutorials and SO posts I gave up and decided to ask a new question here.
So, this is what I have:
a vary basic file host without the ability to alter any Apache settings
a subdomain provider
following file and directory structure:
-root
|-subfolder1
|-subfolder2
|-subfolder1
|-index.html
|-somescript.php
Now I just want to protect the folder "subfolder2" and all of its contents.
I managed to protect a subfolder of a subfolder of the root directory, but not a subfolder within the root directory itself.
I am totally lost.
Please, can anybody help me out?
If I understood your question you want to forbid the access to any URL which has subfolder2 in it, if this is the case then please try placing these rules into your .htaccess file. Please make sure you clear your browser cache before testing your URLs.
RewriteEngine ON
RewriteCond %{REQUEST_URI} subfolder2 [NC]
RewriteRule ^ - [F]
WOW!
Your code was not needed.
All I had to do was clearing the cache and cookies and then the login prompt popped up. That simple.
Thanks for your effort though!
BTW. this is what I have done so far:
file and directory structure as follows:
-root
...
|-subfolder2
|-subfolder1
|-.htaccess
|-.htpasswd
|-index.html
|-script.php
.htaccess file:
AuthType Basic
AuthName "Protected Area"
AuthUserFile /users/XYZ/root/subfolder2/.htpasswd
Require valid-user
.htpasswd file:
MrX:$blah1blah2blah3.some.encoded.password
Cleared browser cache and cookies.
Now when I go to http://XYZ.domain.com/subfolder2 the "login" prompt pops up and that's all I needed.
There's no secret or vulnerable data in this folder, I just don't want bots and crawlers to browse it.
Many thanks anyway
stay safe and have a nice pre new years eve time

.htaccess produces permission denied despite correct password

I set up a .htaccess-file to protect a folder which is in the webroot. Let's call the folder /protected.
I placed the .htaccess and the .htusers file in this very folder (/protected). When I try to login into the folder using the correct login credentials I still get 403.
Here is the .htaccess file:
AuthType Basic
AuthName "Service-Bereich"
AuthBasicProvider file
AuthUserFile [FULL_PATH]/.htusers
Require valid-user
.htusers
mary:$afr1$oqJDM12K$iT9QWY4ETerG0LUtRzw8C.
(For security reasons: user data is not real! It is a mockup)
Thank you in advance.
I finally managed to get it working. I left out the AuthBasicProvider file directive and put a file into the directory. However, I would still be interested in getting it to work without placing a file into the directory. :)
Thank you for all who tried to help me solving the issue.

htpasswd problem: AuthType takes one argument, an HTTP authorization type (e.g., "Basic")

I've never come across this error before and a search on Google doesn't turn up much. I'm getting 500 Internal Server Error. Running Ubuntu 18.04.
Apache log:
AuthType takes one argument, an HTTP authorization
type (e.g., "Basic")
.htaccess
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
/etc/apache2/.htpasswd
test:$apr1$iAZiDJQI$kx5QMVpowee3IG7eCf24X1
I've tried moving .htpasswd to the document root, changing permissions, setting owner to www-data, nothing works. AuthUserFile path is definitely correct.
A bit late, but I was having the same error with my .htaccess file, and this post turned up as the first result in Google.
The problem causing this error is your .htaccess file which is not using unix newlines.
The fix is easy, in e.g. Notepad++ open your .htaccess file, then from the menu:
Edit > EOL Conversion > Unix (LF)
Save the file and upload it and it will work, at least in my case it did.

.htaccess Password protection keeps asking for password over and over

I've placed this code in the .htaccess file of the folder I want to protect:
AuthName "restricted area"
AuthType Basic
AuthUserFile /home/#/#/#/#/#/.htpasswd
require valid-user
In the same folder, I placed this .htpasswd:
my:pass
When I go to the URL of the protected folder, the browser keeps asking me for a password over and over, even though I'm typing the correct one.
I know that the root directory mentioned in AuthUserFile is ok because I've found it out with:
<?php
$dir = dirname(__FILE__);
echo "<p>Full path to a .htpasswd file in this dir: " .
$dir . "/.htpasswd" . "</p>";
?>
Where's the problem?
Just add "user" in between require valid-user
For example:
Require user markpanado
But not:
Require markpanado
the problem, so i found for my website, is that the htpasswd file path is not the same as the path provided in the htaccess. I spent weeks trying to find where the problem was, but although you create usernames and passes using the htpasswrd the file is not communicating with the secure folder. You will need to find out why. maybe a spelling mistake or as in my case, the htpasswd was being saved in a completely different folder, and i had 2 htpasswrd in different folders. the two need to communicate htacccess and htpasswrd, hope this saves you time I figured it out after weeks of sleepless nights.
I have just come across this problem. After trying to figure it out for the last couple of days I have found out the source of the problem:
This prompt gets triggered when using AuthType Basic and whenever a 401 message is sent from the website.
Is it possible that you had a 401 HTTP status code message being sent from the server at each request? You can check your developer console to find out.

Stop authentication pop up on allowed directory in htaccess

Hi I am new here so little bit hesitating in asking question as i don't know the rules, But i will give a try.
I have successfully password protected a website using .htaccess and .htpasswd,
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/.htpasswd
AuthGroupFile /dev/null
require valid-user
SetEnvIf Request_URI "^/dir1" dir1_uri
SetEnvIf Request_URI "^/dir2" dir2_uri
Order Allow,Deny
Allow from env=dir1_uri
Allow from env=dir2_uri
Satisfy any
As you can see i am allowing access to the dir1 and dir2.
Problem is that when i access the dir1 or dir2 through browser, the Authentication window pop up, this should not happen. Though it open the site when I cancel the pop up and can access the website without any problem. But it always pop up whenever i visit them. I don't know why this is happening.
Please help me.
Finally I able to resolve it and it was due to my own mistake.
By debugging for continuous 6-7 hours I found that the style sheet containing background-url property referencing to images which are in the restrictive directory or not existing are causing to pop up authentication pop up. I fixed them and it is now working.