Centos7, remove htaccess, still prompting for auth

While testing .htaccess auth on centos 7 using apache 2.4, something odd happened.

We have the following in the httpd.conf;
<Files ".ht*">
    Require all denied

We have the .htpasswd above the root of the web site and the .htaccess in one of the sub directories.
All was working as it should, being prompted for auth when trying to connecting using curl or browser.

We removed the .htaccess and were still prompted.
Then we removed the .htpasswd file and that seemed to change the behavior.

This makes no sense since the path of the .htpasswd is above the root of the site and the path is in .htaccess.

So, then we replace the files and then things work as expected, prompted when there is an .htaccess and not when it is removed.

What gives?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Check the httpd.conf or the sites config in /etc/httpd/conf.d
See what .htaccess is a more granular./selective

What are your site consists of are you using a CMS, joomla, Drupal, etc. the auth requirement could be coming from it.
Try reloading httpd to see fit gets cleared.
projectsAuthor Commented:
Well, it's working now and that's the problem, I can't replicate it so am not sure why it happened.
Sites are mostly Wordpress and a few html ones. One Joomla I think.

Wondered if centos7/apache2.4 did some kind of caching I wasn't aware of. Just didn't make sense that removing the .htaccess didn't stop the connections from being asked for auth.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

It does, but the behavior of the client might also be an issue, I.e. The client having previously authenticated, includes that header in a request, that is no longer valid, though not sure it would be prompted for the login in the absence of a requirement and non-related data being presented.

Without looking at the logs to see whether Apache triggered the prompt or an

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
projectsAuthor Commented:
The client is curl however so, no browser caching is in play.
Then the client/curl had previously retrieves the page and was still referencing the need for  authentication.

It is all a guess on my part.
projectsAuthor Commented:
So we don't know and cannot know. How do I award this?
As you see fit. Have any comments help in either confirm or ...........
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.