I want to password protect a directory using Apache’s basic auth. However, I also want to allow an internal redirect on POST requests (to a specific URL) to a PHP file located inside this protected directory (without the user being prompted for a password).
This is what I have at the moment in the .htaccess located in the base of the site directory:
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^page.html$ protected/page.php [E=allowed,L]
And in the protected directory I have the following .htaccess:
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/.htpasswd
Require user username
Order allow,deny
Allow from env=allowed
Satisfy Any
However, when I send a post request to page.html, I get prompted for a username and password. If I remove the .htaccess file in the protected directory, and do a phpinfo() in page.php, then I can see in the Apache Environment section there is a variable called REDIRECT_allowed. So it appears that the environment variable is being set OK, just the Allow from env=allowed isn’t working.
This is on a shared hosting account, so I can only do .htaccess level stuff. Any ideas?
Thanks
Dave
I haven’t found out why the directives in my previous post weren’t working as I expected, but I have found what seems like a solution for my problem: Apache: require basic auth, except for specific POST requests.
Since I can’t edit the server level / virtual hosts config, I changed the .htaccess in my protected directory to:
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/.htpasswd
Require user username
<Files "page.php">
<Limit POST>
Satisfy Any
</Limit>
</Files>
And now I can POST to protected/page.php (either directly or via the rewritten URL) without being prompted for a username and password. But if I try to GET protected/page.php or try to access any other file in the protected directory, I get prompted for a username and password. Which is exactly what I wanted.
Just to update this with another alternative solution in case anyone comes across this in the future, you can also just have the basic auth lines in the protected directory’s .htaccess. Then in the parent directory’s .htaccess use the RequestHeader to append the auth details to the request:
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^page.html$ protected/page.php [E=allowed,L]
RequestHeader set Authorization 'Basic encodedauthstringhere' env=allowed
You can get the encoded auth string by checking the auth header your browser sends when you enter the username and password to access the protected directory.
Unfortunately while both this solution and the previous solution worked fine in my local environment, neither of them worked on the live server this was for, which seems to use some combination of IIS and apache.