Home / server / Questions / 43647
In Process
Kyle
Asked: 2009-07-22 09:21:17 +0800 CST

Apache send 403 instead of 401

  • 772

Is there a way to get apache to send a 403 instead of a 401 with some config in an .htaccess file? I'm using dreamhost btw.

Edit:

I should better explain what I am doing. I am doing an HTTP auth login page with jQuery. My goal is to bypass that browser popup login window. To do this, I want the server to give me a 403 error when I try to access a file in the protected realm, as opposed to the 401 I am currently getting by default. When I get that 403, I can run a function that tells the user they have a password wrong instead of that browser popup, which doesn't tell the user they got information wrong, it just makes the site look bad in the end.

thanks =)

apache-2.2

3 Answers

  1. You can use a rewrite rule to produce a 403.

    RewriteEngine on
RewriteRule myfile myfile [F]

    F, in this case, means forbidden (403).

    EDIT
    ...and yes, this goes in the .htaccess file.

    EDIT
    As described in a comment to radius answer, you'd like to check if a user is authorized. I don't know how you're doing your authorization, but my guess is that it's not immediately possible. I usually do my authorization in PHP, in which case you can simply do a header('HTTP/1.1 403 Forbidden');, but you seem to be using some other mechanism (apache internal I suppose).

    • 4

  2. chmod the file so that it is not readable.

    • 0

  3. Give us more information about what you are doing.
    If you have a protected ressource using authentification apache will return code 401. If it returns 403 instead of 401 your browser will not ask you for a password.
    If the ressource is not protected by authentification you should not get an error 401.

    Edit: As per your edit, I understand that you want http://website/files/forbar to return 403, and have a 403 error page asking for a password (let say http://website/403.php).
    I don't think you can do that because your script will not be able to tell apache that the file is no longer forbidden when the user will be logged in.
    So you could have the file returning 403 but it will never return something else.

    The way I would do is to have 'file' outsite of you public web directory and users to load http://website/myscript.php?getfile=foobar, so that your script can control if user is authenticated or not and give the file when the user will be authenticated.
    Of couse you can then add an apache redirection to tell http://website/file/"something" to redirect to http://website/myscript.php?getfile="something" (this one would be RedirectMatch /file/(.*) http://website/myscript.php?getfile=$1

    • -1