I am trying to secure a website with an .htaccess file with Apache2. It works well but the message specified with the AuthName line is not visible on Chrome (but it is visible on Firefox !). What should I do to make it visible on Chrome?
Here is my .htaccess file
AuthType Basic
AuthName "Restricted Access"
AuthFile "/etc/apache2/.htpasswd"
Require valid-user
On Firefox the pop-up tells
The site ... is requesting your username and password. The site says: "Restricted Access"
But on Chrome it only tells
Sign in
What should I do to make it visible on Chrome?
There is nothing you can do.
The browser decides whether it wants to display this information to the user in some way, or not.
The phrasing used in the Apache documentation already hints at that (highlights by me) -
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname:
The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
https://httpd.apache.org/docs/2.4/howto/auth.html#gettingitworking:
The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.
Here is a workaround which can give some info for your unlucky visitor, using custom error document feature after the login attempt fails:
Put this line into your .htaccess file:
ErrorDocument 401 YYYY-MM-DDTHHMM-Site-update-under-way-Estimate-30-min
The continuous text seems to get displayed after login fails or is canceled. No dots (.) or colons (:) allowed. Of course it should represent a valid filename, but if the user has no access to public_html due to login fail a file maybe can't be served anyway. If You can serve a proper 401 error page, You can explain the situation there.
(edit 1) Maybe this behaviour is a curiosity in my case with shared hosting. The shared server there seems to be nginx which I guess "is forced" to accept .htaccess directives.
(edit 2) Confirmed this behaviour also with Apache 2.4 server
Related
I have a very strange problem with password protection in a subdomain. I use a subdomain test.example.com, and in order to avoid duplicate content issues, and to keep the test site private, I have added these lines on top in .htaccess for this test site to prompt users:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /home/httpd/mydomain/test.example.com/.htpasswd
Require valid-user
This authentication solution has worked for years, but now suddenly when accessing the main domain example.com, the user is prompted with a dialog that demands authentication. The message is that test.example.com demands authentication. So the password protection in the test site affects the main domain site.
To grant access for all users to the main site again, I have commented out the relevant lines in .htaccess for the test site.
To be clear I should also mention that I am not talking about a redirection to the test site. When accessing the main site, this is also where the user ends up. But the password prompt still refers to the test site.
On the server no changes has been made to the vhosts in a long time.
So how can the password protection in the .htaccess file in the test site affect the main domain site? Seems impossible to me. But yet this is what happens.
The site is built with Drupal 7 and is updated to the latest version. The only change in recent time is a Drupal update (7.82).
I'm working on providing a simple username/password gate for a client's website. I'm using a simple combo of htaccess and htpasswd files to accomplish this.
For right now, I'm only using dummy names and passwords, so, I feel comfortable posting those here.
Login 1: sean
PW 1: CreAgent
Login 2: sally
PW 2: pass
PWs were encrypted using this site (www.htaccesstools.com/htpasswd-generator/).
As you can see, it all works fine at this location.
Here is the code in the .htaccess file at that location:
AuthName "Employees Only"
AuthType Basic
AuthUserFile /home/content/n/i/n/nintemple1/html/login/.htpasswd
require valid-user
And here is the htpasswd file...
sean:[encrypted password - not sure if I should post this!]
sally:[encrypted password - not sure if I should post this!]
Now, that webspace above is my own. So, then I tried to set things up on the client's space. As you can see from that link, it just keeps treating the login as incorrect (offering new attempts) until you hit cancel and then it returns a 401 error. Everything is identical except that I changed the path to the new htpasswd file. So, the new htaccess file is like so...
AuthName "AIM Employees Only"
AuthType Basic
AuthUserFile /home/aimcilco/public_html/JAL/.htpasswd
require valid-user
I know it's possible that the client's space might be configured differently. But, the space where their files are hosted does not have a phone # to contact with questions and I posted on their forum weeks ago with no reply. So, I can't just ask the people who run the server. I do see other htaccess files in their space though, so, I imagine things are at least somewhat configured to handle htaccess.
I will admit that I am out of my depth here. I felt confident setting this up (since I got it working on my own space), but, I don't know enough about how these things work to properly trouble shoot this issue. =\
Thanks in advance and let me know if there is any more info you need from me to best solve this problem!
I use a free shared php web server for my site. my site's url end was p.ht and for some issues it changed to w.pw
In order to make my site working properly again, by using Notepad++ I used "Find in Files" subwindow which is in ctrl+F popup window. I replaced each occurence of p.ht with w.pw.
My site then started to work properly again with no problem in terms of viewing.
however after this change, after a while I needed to logon my custom admin page (approve comments, articles etc)
I created it with .htaccess with main commands below:
AuthUserFile /home/u999999999/public_html/.htpasswd
AuthName "Log In"
AuthType Basic
Require valid-user
RewriteEngine On
RewriteBase /adminfolder/
just before URLs changed, everything was working on my site properly, I was able to login to my admin account from my firm computer. But know despite the same password and username I can't logon. I changed the password, uploaded new file but again I couldn't logon.
What can be the problem?
my firm firewall, security politics update etc?
A changed php server property in free shared web server?
A ctrl+Replace mistake somehow?
I also entered the password by keyboard and by copy-paste.
Can you please guide me for my situation. Where should I look, what new action can I try in order to detect my failure mode?
best regards
Okay, so I'm protecting a webpage with a basic .htaccess/.htpasswd combination.
My .htaccess file looks something like this:
DirectoryIndex index.php
AuthUserFile HOMEDIRECTORY/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require valid-user
Everything works fine under Firefox, but Chrome gives this message. I've tested this on multiple computers.
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Any idea where Chrome is going wrong?
If you are using a frame redirection between different domains Chrome will not show the login prompt. Use an HTTP 302 or 301 redirection instead.
I'm trying to protect a folder with Digest Authentication through a .htaccess file:
AuthType Digest
AuthName "Restricted Area"
AuthUserFile /web/htdocs/www.domain.com/.../.htdigest
Require valid-user
I've created the file of passwords with the comand "htdigest".
All works fine on my local server ... but not on my remote server (hosted website)!
The browser shows the login panel even if I enter a correct password!
On the remote server PHP is running as CGI not as a module of Apache ... should be this the cause? Is there some workaround?
A Basic Authentication with .htaccess works fine on the same remote server!
If the script is running as CGI, that means it is running as the local user, not as www, which is probably the problem, yes. Is CGI the only option?
The code above is missing the AuthDigestDomain directive, about that the documentation says:
This directive should always be
specified and contain at least the
(set of) root URI(s) for this space.
Omitting to do so will cause the
client to send the Authorization
header for every request sent to this
server. Apart from increasing the size
of the request, it may also have a
detrimental effect on performance if
AuthDigestNcCheck is on.
However, I've definitely solved the problem by enabling the Apache module mod_auth_digest instead of the module mod_digest.