Authentication in .htaccess in subdomain affects the main domain site - .htaccess

I have a very strange problem with password protection in a subdomain. I use a subdomain test.example.com, and in order to avoid duplicate content issues, and to keep the test site private, I have added these lines on top in .htaccess for this test site to prompt users:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /home/httpd/mydomain/test.example.com/.htpasswd
Require valid-user
This authentication solution has worked for years, but now suddenly when accessing the main domain example.com, the user is prompted with a dialog that demands authentication. The message is that test.example.com demands authentication. So the password protection in the test site affects the main domain site.
To grant access for all users to the main site again, I have commented out the relevant lines in .htaccess for the test site.
To be clear I should also mention that I am not talking about a redirection to the test site. When accessing the main site, this is also where the user ends up. But the password prompt still refers to the test site.
On the server no changes has been made to the vhosts in a long time.
So how can the password protection in the .htaccess file in the test site affect the main domain site? Seems impossible to me. But yet this is what happens.
The site is built with Drupal 7 and is updated to the latest version. The only change in recent time is a Drupal update (7.82).

Related

AuthName in .htaccess not displayed in Chrome

I am trying to secure a website with an .htaccess file with Apache2. It works well but the message specified with the AuthName line is not visible on Chrome (but it is visible on Firefox !). What should I do to make it visible on Chrome?
Here is my .htaccess file
AuthType Basic
AuthName "Restricted Access"
AuthFile "/etc/apache2/.htpasswd"
Require valid-user
On Firefox the pop-up tells
The site ... is requesting your username and password. The site says: "Restricted Access"
But on Chrome it only tells
Sign in
What should I do to make it visible on Chrome?
There is nothing you can do.
The browser decides whether it wants to display this information to the user in some way, or not.
The phrasing used in the Apache documentation already hints at that (highlights by me) -
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname:
The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
https://httpd.apache.org/docs/2.4/howto/auth.html#gettingitworking:
The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.
Here is a workaround which can give some info for your unlucky visitor, using custom error document feature after the login attempt fails:
Put this line into your .htaccess file:
ErrorDocument 401 YYYY-MM-DDTHHMM-Site-update-under-way-Estimate-30-min
The continuous text seems to get displayed after login fails or is canceled. No dots (.) or colons (:) allowed. Of course it should represent a valid filename, but if the user has no access to public_html due to login fail a file maybe can't be served anyway. If You can serve a proper 401 error page, You can explain the situation there.
(edit 1) Maybe this behaviour is a curiosity in my case with shared hosting. The shared server there seems to be nginx which I guess "is forced" to accept .htaccess directives.
(edit 2) Confirmed this behaviour also with Apache 2.4 server

htaccess Login works on one site but not the other

I'm working on providing a simple username/password gate for a client's website. I'm using a simple combo of htaccess and htpasswd files to accomplish this.
For right now, I'm only using dummy names and passwords, so, I feel comfortable posting those here.
Login 1: sean
PW 1: CreAgent
Login 2: sally
PW 2: pass
PWs were encrypted using this site (www.htaccesstools.com/htpasswd-generator/).
As you can see, it all works fine at this location.
Here is the code in the .htaccess file at that location:
AuthName "Employees Only"
AuthType Basic
AuthUserFile /home/content/n/i/n/nintemple1/html/login/.htpasswd
require valid-user
And here is the htpasswd file...
sean:[encrypted password - not sure if I should post this!]
sally:[encrypted password - not sure if I should post this!]
Now, that webspace above is my own. So, then I tried to set things up on the client's space. As you can see from that link, it just keeps treating the login as incorrect (offering new attempts) until you hit cancel and then it returns a 401 error. Everything is identical except that I changed the path to the new htpasswd file. So, the new htaccess file is like so...
AuthName "AIM Employees Only"
AuthType Basic
AuthUserFile /home/aimcilco/public_html/JAL/.htpasswd
require valid-user
I know it's possible that the client's space might be configured differently. But, the space where their files are hosted does not have a phone # to contact with questions and I posted on their forum weeks ago with no reply. So, I can't just ask the people who run the server. I do see other htaccess files in their space though, so, I imagine things are at least somewhat configured to handle htaccess.
I will admit that I am out of my depth here. I felt confident setting this up (since I got it working on my own space), but, I don't know enough about how these things work to properly trouble shoot this issue. =\
Thanks in advance and let me know if there is any more info you need from me to best solve this problem!

PHP | .htpasswd | Can not login custom admin page with same username and password

I use a free shared php web server for my site. my site's url end was p.ht and for some issues it changed to w.pw
In order to make my site working properly again, by using Notepad++ I used "Find in Files" subwindow which is in ctrl+F popup window. I replaced each occurence of p.ht with w.pw.
My site then started to work properly again with no problem in terms of viewing.
however after this change, after a while I needed to logon my custom admin page (approve comments, articles etc)
I created it with .htaccess with main commands below:
AuthUserFile /home/u999999999/public_html/.htpasswd
AuthName "Log In"
AuthType Basic
Require valid-user
RewriteEngine On
RewriteBase /adminfolder/
just before URLs changed, everything was working on my site properly, I was able to login to my admin account from my firm computer. But know despite the same password and username I can't logon. I changed the password, uploaded new file but again I couldn't logon.
What can be the problem?
my firm firewall, security politics update etc?
A changed php server property in free shared web server?
A ctrl+Replace mistake somehow?
I also entered the password by keyboard and by copy-paste.
Can you please guide me for my situation. Where should I look, what new action can I try in order to detect my failure mode?
best regards

how to change a website available only for admin

i have a website that need to be unavailable for public.
I cannot test my website locally because lot of contents are depend on databases and images.
At present i am using .htaccess to deny all the people,bots and allow my ip address to use the site. What happens i have a dial-up ADSL modem and my ISP connection is frequently disconnecting. So i need to change the allowed IP address in htaccess frequently.This is terrible.
Is there any other way to overcome this situation. I saw an article to make the site password protected. is it okay or what should i do to overcome this terrible scenario.
Thanks
Yes, password protecting is fine. Follow this guide: http://httpd.apache.org/docs/2.2/howto/auth.html
You need to create an htpasswd file, essentially the file that holds your username and password. If you don't have shell access on your hosting plan, you can go to an online generator and create the file locally and upload it to your hosting site (don't put it in your document root).
Then add this to your htaccess file:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
You can also whitelist IPs like you did before but you need to add this line:
Satisfy Any
So that your Allow from 123.45.67.89 lines is sufficient and don't need to log in from that IP.

Can I unprotect a single script via .htaccess using CodeIgniter?

I'm in a development environment and we're using basic .htaccess/.htpasswd authentication to keep lurkers out. But some of my AJAX calls are coming back with HTTP/401 authentication failed errors. Is it possible for me to allow access only to those specific URL's? I can't easily do it by popping a new .htaccess in a subfolder because CodeIgniter uses ReWrites.
It's not possible to allow access only to those specific URL's. Unfortunately, .htaccess and .htpasswd authentication operates on a directory level only. And you're exactly right about why just using a subdirectory won't work - b/c of CI rewrites, which happen AFTER Apache has transferred control to CodeIgniter's index.php front controller.
The easy option, if you're working on something that (1) is not likely to be hacked in the first place, and (2) can't reveal sensitive data even if it is, is to use security via obscurity. Don't have any links to your dev site, include a noindex directive for search engine crawlers, and go on your merry way. This also has the advantage that you can test versions of the site with your colleagues and friends by just telling them the URL to go to.
If you're more worried about security, then you're probably building an auth module for your website's users. In that case, for your dev environment, just call that auth module in the constructor for all of your controllers, and redirect to the login page if the user is not logged in.
Good luck!

Resources