Link to home
Start Free TrialLog in
Avatar of jzilberberg
jzilberberg

asked on

htaccess setup

I need to set up different logins on a parent directory and on a subdirectory to that parent directory. When I add .htaccess and .htpasswd files to both directories I get prompted for both logins when going to the subdirectory. I need to know how to set this up so that I only get prompted for the individual login for each directory. Can someone tell me how this is achieved?
Avatar of themrrobert
themrrobert
Flag of United States of America image

You mean that when you type:

http://myserver.com/protected1/protected2

It asks you for 2 sets of authorization user/pw combos?
Avatar of jzilberberg
jzilberberg

ASKER

Correct. I need "protected2" to only prompt me for that directory's login not both. So I need to know how to write both htaccess files to achieve this.
If you can set the other directory as a subsite of the domain, this will allow you to have .htaccess file for each individually.
I can't do that.
So, given I cant' set up the subdirectory as a subsite of the domain, is there another option? Is this not a standard set up that is achievable in apache via htaccess? Can the parent directory be set up to be only applied to itself and ignore subdirectories?
ASKER CERTIFIED SOLUTION
Avatar of xterm
xterm

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for this. I don't have server access so I cannot affect httpd.conf. Is there a solution only through affecting .htaccess files?
The AllowOverride switch really just turns on the use of .htaccess files (see http://httpd.apache.org/docs/2.0/howto/htaccess.html)

So in essence, if you're getting prompted for a username and password now, then the system config file must already override either All or AuthConfig.

Thus, if your .htaccess files look like mine, they should work as I describe above.
So, according to your instruction I should not have to change anything on the server and just change the root level .htaccess file, correct?

Here is what I have created. This .htaccess file lives on the root and there is a .htpassword file on the root and one on in the child directory. This only prompts for one set of credentials, but the one it requires for either directory is the child directory's credentials. Can you please let me know what I am not doing right here?

AuthUserFile /mnt/target05/347173/www.mydomain.com/web/content/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
<Limit GET>
require valid-user
</Limit>

AuthUserFile /mnt/target05/347173/www.mydomain.com/web/content/admin/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
<Limit GET>
require valid-user
</Limit>
So if you go to the server root in a browser you can only authenticate with a user contained in /admin/.htpasswd?
And the same is true if you go to serverroot/childdirectory in the browser?

Both of them prompt and will only accept a username/password found in the child directory's .htpassword, which is /mnt/target05/347173/www.mydomain.com/web/content/admin/.htpasswd ?

If you go to the server root, and attempt to authenticate with a username/password in  /mnt/target05/347173/www.mydomain.com/web/content/.htpasswd, what happens?

That seems impossible to me - there's no way the main root .htaccess can even KNOW about the .htpasswd file in the content/admin directory.  Please confirm this to be the case.
Correct, I can only authenticate with the user contained in /admin/.htpasswd for both directories.

Correct, both of them prompt and will only accept a username/password found in the child directory's .htpassword, which is /mnt/target05/347173/www.mydomain.com/web/content/admin/.htpasswd ?

If I go to the server root, and attempt to authenticate with a username/password in /mnt/target05/347173/www.mydomain.com/web/content/.htpasswd, I just keep getting prompted for valid credentials unless I use the credentials for /admin.

The good news is I don't get a double prompt like originally, but now there is this issue of improper authentication.
I hate to beat a dead horse, but the basic impossibility of what you are suggesting leads me to call into question your htpasswd or htaccess files - there is simply no way that the server root can authenticate a user which is not referenced in its own .htaccess file.

I suggest that in the server root .htaccess file you put "AuthName EnterRootPassword" and in the child you put "AuthName EnterChildPassword" temporarily.

Then make sure that you have no username overlap in the htaccess files.  Perhaps in the one that feeds the root directory put a single user "foo" and in the one in the /admin (child) directory, put a single user "bar".

For good measure, I'd probably dump client browser cache and restart it too.
Ok, thanks for sticking with me on this.

I made the changes to the AuthName line you suggested and tried again. Same result.

Regarding this instruction: "Then make sure that you have no username overlap in the htaccess files.  Perhaps in the one that feeds the root directory put a single user "foo" and in the one in the /admin (child) directory, put a single user "bar". - I am not sure what you mean by "put a single user "foo". Can you please be explicit about how I should do this?
Yes, create them as such:

$>cat  /mnt/target05/347173/www.mydomain.com/web/content/.htpasswd
foo:.J9xG620h1puU

$> cat /mnt/target05/347173/www.mydomain.com/web/content/admin/.htpasswd
bar:fFaB/ikx068JE

User foo's password is bar.  User bar's password is foo.  With those two htpasswd files in place you should only be able to auth as foo/bar in the server root directory, and as bar/foo in the child directory.

Make sense?
Yes, this is already what I had set up in the individual .htpasswd files in the parent and child directories as you outlined in your last message, but with my actual user names and passwords. Just for certainty, I changed them to foo/bar and bar/foo respectively and tried again. Only bar/foo works for both directories.
If you DELETE (or just move elsewhere or rename) the .htaccess file in the child directory that references /mnt/target05/347173/www.mydomain.com/web/content/admin/.htpasswd, what happens?

This should only leave the .htaccess file in the root referring to /mnt/target05/347173/www.mydomain.com/web/content/.htpasswd which should ONLY allow the authentication of foo/bar.

I guess let's get this working one directory at a time, starting with the root.
I don't have an .htaccess file in the child directory, so my set up has been just as you prescribe in your last message.

So, just to see I removed the second block from the root .htaccess file:

AuthUserFile /mnt/target05/347173/www.mywesternathleticclub.com/web/content/admin/.htpasswd
AuthGroupFile /dev/null
AuthName EnterChildPassword
AuthType Basic
<Limit GET>
require valid-user
</Limit>

Now when I try to login to either directory both require the root credentials instead of the child credentials as before. Very strange since there is no directive to prompt for the child directory at all at that point.
Wait a minute, I think we're on to something here - you didn't ever HAVE a .htaccess file in the child folder?  You need one!  I didn't realize you'd pupt both "blocks" into one file.  See my original post, those are two separate .htaccess files, one in the root, one in the child folder.

Notice I have one in /protected1 and one in /protected1/protected2?

Anyway, just substitute that for /, and /protected1 and you'll be golden.

Each .htaccess file references its own .htpasswd file.

Phew, that shouldn've have been so tough :)  
Ok, sorry I missed that. So now they are in 2 files in the respective directories. No double prompt, but now the root credentials are the only ones that work for both directories.
Okay, please paste the child .htaccess file and it's associated htpasswd file (you can munge the usernames if you want to protect the privacy of these)
AuthUserFile /mnt/target05/347173/www.mydomain.com/web/content/admin/.htpasswd
AuthGroupFile /dev/null
AuthName EnterChildPassword
AuthType Basic
<Limit GET>
require valid-user
</Limit>

saleskit:BHP7lJ7qIqyG
Oh wait!!! We're there! I uploaded the last revisions to the wrong server. Just uploaded to the correct server and retried and it works. Very simple solution when implemented correctly. Thanks for working with me on this!!!
Great, because I was out of ideas :)  Enjoy!
THANK YOU!!