Enable apache HTTP basic auth only if response page doesnt have his own basic auth

Question

I added a HTTP basic authentication using Apache to access to a PHP application using a .htaccess file:

AuthType Basic
AuthName "Secure Area"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
Require valid-user

This is working fine for most of the application except for the admin panel.

Because in order to access to the admin panel, the PHP application also provide his own HTTP basic authentication by sending the WWW-Authenticate HTTP header to the response.

So, when I try to access to the PHP application secured area, it looks like I am encountering a HTTP Basic authentication conflict between Apache an PHP. (Both are working properly individually)

The solution I am thinking is to enable Apache HTTP Basic authentication only if the requested page did not already send a WWW-Authenticate.

I tried this without success:

AuthType Basic
AuthName "Secure Area"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
<RequireAll>
  Require valid-user
  Require expr %{HTTP:WWW-Authenticate} =~ m#^$#
</RequireAll>

This is resulting in a infinite loop of requests trying to authenticate. Is it something possible?

score 1 · Answer 1 · answered May 24 '20 at 07:54

1

I don't think that this will work. When adding Apache's authentication methods, the request is stopped unless you authenticate. Your PHP application is not run in any way if Apache hasn't received authentication details for its own layer.

answered May 24 '20 at 07:54

Nico Haase

11,420
35
43
69

Enable apache HTTP basic auth only if response page doesnt have his own basic auth

1 Answers1