Password protected folder protects the folder but not the files (.htaccess)

Question

I have set up a password protected folder on my Apache server. I have a .htaccess file in the folder I want to protect, and a .htpassw in the Private folder.

The problem is when I enter the URL to the folder, the authorization challenge dialog appears as expected, but when I enter a URL with a specific download file name on the end, I can download it without being challenged.

My .htaccess file in the protected folder is as follows:

AuthUserFile /home/admin/web/example.com/private/.htpasswd
AuthName "Please Log In"
AuthType Basic
require user username

My .htpasswd file consists of:

username:abcdefghijs

So when I enter http://example.com/myfolder/myfile.zip it starts to download without the authorization challenge, but if I enter http://example.com/myfolder it works just fine. Clearly I need to prevent access to everything until the user is authorized.

Any thoughts would be appreciated.

score 0 · Answer 1 · answered Oct 21 '14 at 09:13

0

You can use:

<Files "myfile.zip">
Require user <USERNAME>
</Files>

answered Oct 21 '14 at 09:13

Dabien

88
4

Thanks but do you have to do this for every file? What if the downloads' names change? Can you use wildcards? – TripleAntigen Oct 21 '14 at 09:17
@Dabien Yes you can, and it's a preferred way of doing it – Sudip Bhandari Mar 02 '17 at 09:05

Password protected folder protects the folder but not the files (.htaccess)

1 Answers1