One time authentication using .htaccess?


#1

Hi,

I’d like to do something like this:

I have a directory which I want to be password protected, recursively. The user who want to access this directory and its sub-directories and the files inside them will be prompted to enter user/pass; once they are authenticated, they are free to view all the files in it (recursively).

I am currently using .htaccess to do this and what i found out is that .htaccess recursively affect directories below it (which is what I want) but at the meantime, requesting a file in another sub-directory (say, /protected_dir/anotherdir/index.html) yields the same authentication request even though the user has just passed the one in the entry dir (say, the one from /protected_dir/index.html, which is NOT what I want). So the user has to do this the second time if she chooses to view some files in a sub-directory.

Is there a way to just have the user authenticated only the first time she requests a page (either the index.html or a file in a subdir) while still having all the sub-directories protected? Can this be done with just .htaccess or do I need to use some scripting to do that?

Thanks!


#2

I haven’t run into this, but I use:
http://wiki.dreamhost.com/KB_/Account_Control_Panel/Goodies::Htaccess/_WebDAV

I believe that it also uses .htaccess, but I’ve not either tried the wrong combination of traversals, or it just somehow works properly.

-Scott


#3

It shouldn’t be doing that to begin with. That kind of behavior is either due to the browser not passing on the authorization response (ie the encoded username and password) on subsequent requests or multiple .htaccess files specifying different realms or user/group files.

The way it works is that the server always requests authorization. It’s up to the browser to get the credentials from the user and remember them so it can automatically provide them for the duration. So some problems involve a race condition (eg the browser requests two protected images at the same time but from a non-protected page) or the browser is working with different sessions (ie one window doesn’t know what another window is doing)

Something out of the ordinary is happening and if you can’t figure it out then it sounds like you are going to have to resort to authentication using CGI scripting instead. Are you able to duplicate this behavior yourself? It may very be browser / browser version specific.

Customer since 2000 :cool: openvein.org


#4

Thanks much!


#5

Maybe you have a solution, but:

  1. Only one .htaccess in the root-directory, not in the sub-directories.

  2. It might be that switching between example.org and www.example.org could couse what you experience.