Concerning Apache problem...

frostyservant · 02-21-2006, 10:20 AM

I'm not sure if this is the correct forum for this thread; if it is not, my apologies.

Concerningly enough, IE7 seems to bypass .htaccess somehow on Apache. The user is still presented with a username/password prompt, but canceling this will allow them to browse a good deal of the website's content. Just from visually observing the process, it seems as if webpage content is downloaded until the prompt is generated.

When browsing in Firefox (and, as far as I can remember, IE6), Apache behaves appropriately; but, of course, in server-side security, one has to assume the user will take advantage of any flaws.

Has this always been a problem in Apache, or has this problem newly emerged with IE7? Is there some mistake I'm making with regards to security?

For reference, here's an edited version of the .htaccess file in question:

Code:

AuthName "Who goes there?"
AuthType Basic
 
AuthUserFile [absolute location of .htpasswd file]
 
AuthGroupFile /dev/null
 
<Limit GET POST>
require user [username]
</Limit>

sde · 02-21-2006, 10:59 AM

i haven't experienced the problem you mention. here's the format of one i use.

Code:

AuthGroupFile /dev/null
AuthName "authorized users only"
AuthType Basic
AuthUserFile <path to .htpasswd>
require valid-user

frostyservant · 02-21-2006, 11:26 AM

Hmmm... both configurations of .htaccess produce the same result; although upon further investigation I've discovered that the problem exists for Firefox as well... I may need to take this up with my hosting company (GoDaddy).

sde · 02-21-2006, 12:06 PM

do they have an interface that creates the password protection? or do you do manually do it?

if they have a control panel option, i would remove it and try to create it again.

frostyservant · 02-21-2006, 12:12 PM

Nope, I wrote the .htaccess file manually.

EDIT: The problem doesn't seem to be cropping up when I try to access the protected folder itself, just files within that folder.

sde · 02-21-2006, 12:34 PM

do you have shell access to your web server? i remember a while back i was working on getting .htaccess to work with my .htpasswd file and i was having trobule. i found this command to create the .htpasswd file and it ended up working out.

Code:

$ htpasswd -c .htpasswd <username>

you would need shell access to the server to execute that though. also, you would need to be in the directory where your .htpasswd file is stored to use that exact format.

frostyservant · 02-21-2006, 12:36 PM

Unfortunately, no; I don't.

Thanks for all this assistance, btw.

sde · 02-21-2006, 12:39 PM

no problem. please update me with what you find out. i'm curious how godaddy handles it as i run a little hosting company myself. i'm surprised the hosting control panel they run doesn't support that.

teknomage1 · 02-21-2006, 12:40 PM

Remember, the webrowser never sees .htaccsess files, so either the apache webserver executes it or it doesn't. It could be that your hosting company doesn't support the directives you have supplied, or doesn't even read .htaccess files. Maybe they upgraded recently and changed something?

frostyservant · 02-21-2006, 12:43 PM

It's possible something changed, but I would find it easier to understand if .htaccess no longer worked at all. Instead, users are presented with a prompt, but for some reason the server doesn't wait for them to supply credentials before serving data.

EDIT: Hmmm... I thought it might be a chmod problem, tried changing some of that, it didn't work. Now files have their original values again (.htaccess and .htpasswd at 644, everything else at 755), but .htaccess doesn't work at all.

DJMaze · 02-22-2006, 06:36 PM

must be issue with .htpasswd having empty entry or something.
.htpasswd should be 622 (only readable) for best security

I don't have that issue in one of my PHP apps since PHP itself handles the authorization for me.