I have an Apache server with password-protected web directory. That directory has a sub-directory, which requires another password, but anyone who can access the sub-directory should have access to the parent directory as well. That is:
- /stuff - users "stuff" and "admin" allowed
- /stuff/admin - only user "admin" allowed
So I've set it up that way in the Apache config:
<Directory "/stuff">
[AuthType Basic, AuthName, etc.]
Require user stuff
Require user admin
</Directory>
<Directory "/stuff/admin">
[AuthType Basic, AuthName, etc.]
Require user admin
</Directory>
This works in the sense that I can browse to /stuff and log in as either "admin" or "stuff". However, the pages in /stuff/admin references some images from the parent directory. I find that when I browse directly to /stuff/admin and log in as "admin" the browser still prompts me for another password to load those images. (I know it's the prompt for /stuff, because the AuthName value is different.)
How do I avoid this and allow a user who has access to /stuff/admin to just log in once (as "admin"), not twice?
The problem turned out to be the different AuthName value for the two directories. I thought that its sole purpose is to provide a meaningful prompt to the user. Having read the documentation again, it turns out it has another purpose: the browser will automatically try the same credentials for directories with the same AuthName.
So what was happening in my case was that after having authenticated to /stuff/admin the browser would request /stuff/something-else, it would get a "401 Unauthorized" response, but it wouldn't even try the same credentials. After I changed the AuthName to be the same it automatically responded to the 401 by retrying with the "admin" username that I previously authenticated with, which worked.
Have you tried reversing the order of the stanzas in your htaccess so that the more specific case is first? This may affect the matching and solve your double prompting problem.
Another thing to check is if you can use Realms or Groups to simplify, perhaps to specifying that multiple containers use the same authentication backend.
This (AAA) is different between Apache and Apache2 so check what you have. Here are both sets of docs:
http://httpd.apache.org/docs/1.3/howto/auth.html http://httpd.apache.org/docs/2.2/howto/auth.html
hth,
adric
I haven't tried it, but would it work to change them both to require valid-user and point the admin .htaccess to a group .htpasswd file which was the admin subset and the base directory .htaccess to a .htpasswd file with the larger superset?
I believe when you list things on separate lines there is an implied "and". Try listing the users on the same line for an implied "or":