htpasswd security - sent in non-protected requests?

Question

I understand htpasswd is pretty secure if done through SSL. Question:

I visit directory "mysite.com/protected/" (https) and log in via htaccess/htpasswd. In the same browser I open up a new tab to "mysite.com/unprotected/" (http).

Is the user/pass transmitted in the second request, or only when accessing the /protected/ directory?

score 0 · Accepted Answer · answered Mar 20 '14 at 21:10

0

The user's name and password will be sent with every HTTP request under the protected directory. The user will only be asked (usually) on the first try until you close and reopen the browser.

Here is a good overview.

answered Mar 20 '14 at 21:10

John C

1,931
1
22
34

Thanks, overview was helpful. Since credentials are transmitted only when accessing the protected area, as long as the protected area is SSL-forced credentials will not be transmitted on non-SSL requests of non-protected directories. This was my concern. – irregularexpressions Mar 20 '14 at 21:38
Good to hear. I wasn't quite sure about the application. – John C Mar 20 '14 at 21:47

htpasswd security - sent in non-protected requests?

1 Answers1