htaccess RewriteCond require user

Question

There is a problem I am having, and I'm pulling my hair out on how to solve it:

in root folder I have a htaccess file with the following rules:

RewriteCond %{REQUEST_FILENAME} !-s
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME}/index.php !-s
RewriteCond %{REQUEST_FILENAME}/index.html !-s
RewriteCond %{REQUEST_FILENAME}/index.htm !-s
RewriteRule ^(.*)$ redirect.php [QSA]

So my goal is to rewrite to redirect.php if the file/directory/index file is not found.

This works perfectly well for my entire site, so no problems... until I have a folder that is protected by password with the following htaccess file:

AuthUserFile /path/to/htpasswd
AuthName EnterPassword
AuthType Basic

require user adminUserName

It seems that apache regards going to this folder as invalid and performs the rewrite to redirect.php.

BUT, if I am already authenticated (by disabling the rewrite above, logging in, then re-enabling the rewrite again), it works...

I have tried adding the following to my root htaccess file before the rule I have above:

RewriteRule ^secureFolder(.*)$ - [L]

And it doesn't work; the following works, but it defeats the purpose of my redirect.php:

RewriteRule ^(.*)$ - [L]

Any ideas welcome!

UPDATE: 2013-10-31 14:00 ET

Well, I have given on dealing with it using HTTP auth. So I implemented a simple password system just for that folder using PHP...

It goes like this:

In .htaccess:

<IfModule mod_php5.c>
    php_value auto_prepend_file /path/to/a/file/in/secureFolder
</IfModule>

in .user.ini (for PHP-FPM, if you use it):

auto_prepend_file = /path/to/a/file/in/secureFolder

In /path/to/a/file/in/secureFolder:

session_start();
/**
 * Check if logged in
 */
if (!isset($_SESSION['adminLogin'])) {
    include('/path/to/loginTemplate');
    exit;
}

In /path/to/loginTemplate:

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $username = isset($_POST['username']) ? $_POST['username'] : null;
    $password = isset($_POST['password']) ? $_POST['password'] : null;
    if (
        $username == 'username'
        && sha1($password) == 'somehashedvalueofyourpassword'
    ) {
        $_SESSION['adminLogin'] = true;
        header('refresh: 0');
    } else {
        $message = 'Incorrect login';
    }
}
?>
<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
</head>
<body>
<?php if (isset($message)) echo $message ?>
<form action="" method="post">
    <p>
        <label>Username:</label>
        <input type="text" name="username" />
    </p>
    <p>
        <label>Password:</label>
        <input type="password" name="password" />
    </p>
    <p>
        <input type="submit" value="Login" />
    </p>
</form>
</body>
</html>

And a logout.php:

<?php
session_start();

unset($_SESSION['adminLogin']);

$location = empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/admin.contests/';
header('Location: ' . $location);

anubhava · Answer 1 · 2013-10-31T20:46:06.563

0

You can try:

DOCUEMENT/.htaccess:

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-s
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME}/index.php !-s
RewriteCond %{REQUEST_FILENAME}/index.html !-s
RewriteCond %{REQUEST_FILENAME}/index.htm !-s
RewriteRule ^(.*)$ redirect.php [L]

DOCUEMENT/folder/.htaccess: With an extra RewriteEngine On line:

RewriteEngine On

AuthUserFile /path/to/htpasswd AuthName EnterPassword AuthType Basic require user adminUserName

edited Oct 31 '13 at 20:46

answered Oct 31 '13 at 17:02

anubhava

761,203
64
569
643

This doesn't work in my case because if the folder has no index file, it will show the "Forbidden" error page since I disabled the file index, when I want it to go to`redirect.php` instead. Also, I have tried this but Apache still doesn't acknowlege the existence of the secureFolder when I'm not already authenticated... – Populus Oct 31 '13 at 18:00
Can you post complete code from both of your .htaccess since I don't see any `disabling index` directive here. – anubhava Oct 31 '13 at 18:05
It's in my server config in the form of `Options All -Indexes` – Populus Oct 31 '13 at 18:09
Anyway, I posted my workaround, which meant abandoning HTTP auth completely. – Populus Oct 31 '13 at 18:10
No you didn't need to since I posted above solution after throughly testing it myself. It is just that you have some other directive in .htaccess that is clashing and we could find & fix it. – anubhava Oct 31 '13 at 18:12
I cannot use `RewriteCond %{REQUEST_FILENAME} !-d` because it would consider an empty folder (or in my case a folder without an index file) as a valid folder and skip my rewrite to `redirect.php` – Populus Oct 31 '13 at 18:46
That's not correct `%{REQUEST_FILENAME} !-d` means if request is NOT for a valid directory. – anubhava Oct 31 '13 at 18:59
Exactly... Because an empty folder is a valid folder, it will completely skip the `redirect.php`, which I do *not* want – Populus Oct 31 '13 at 19:07
So you want to skip ONLY if index file is present in a folder? – anubhava Oct 31 '13 at 19:08
Yes I said that in the third sentence of my question :/ maybe it was unclear tho... – Populus Oct 31 '13 at 19:52
I've tried `RewriteEngine On` after the `AuthUserFile` delcaration, maybe it would've worked if I put it in front, but it's over and done with now, I hated HTTP Auth in the first place. Thanks for trying. – Populus Oct 31 '13 at 21:40

htaccess RewriteCond require user

1 Answers1