.htaccess Password protected website requires Password at every page reload on Ipad

Question

I use .htaccess to protect a website with a password.

If i use html5 audio elements on that website my Ipad requires the website password at each reload, although it's saved in the browser.

Only on Ipad. Not rooted, all original ios. Tested with Chrome and Safari on Ipad, always the same.

If there is no audio element on the page, it doesn't require the password.

This doesn't happen on an Android Tablet or Firefox in Windows.

What can i program to prevent the Ipad asking for the password?

I use the following code from this website.

<!DOCTYPE HTML>
<html>
<head>
<title>Audio</title>
</head>
<body>

<script>
function play(){
var audio = document.getElementById("audio");
audio.play();
}
</script>

<input type="button" value="PLAY"  onclick="play()">
<audio id="audio" src="./207.wav"></audio>
</body>
</html>

The .htaccess:

AuthType Basic
AuthName name123
AuthUserFile /somepath/.htpasswd
require valid-user
SetEnv no-gzip
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 1 seconds"
AddDefaultCharset UTF-8

I guess you need to provide the .htaccess file for other the trouble-shoot? — cytsunny, Feb 06 '17 at 10:24

score 5 · Accepted Answer · edited May 23 '17 at 12:08

5

It is a very old problem. Safari browser disables sending auth params when doing something automatically - redirect with 301-302 http codes or loading media file. Looks like this is a sequrity issue - Safari doesn't allow access to a file, loaded automatically.

Let's check it with server logs (I've added an image to the page):

GET /t/i.jpg HTTP/1.0" 200 images are loaded great.

GET /t/207.wav HTTP/1.0" 401 audio is not loaded, prompt is shown.

So it is the audio file that forces auth prompt to show. There is a workaround, but is is not secure enough.

UPD. The following code shows 200-response for first access (img tag) to 207.wav and 401 for the second (audio tag).

<img src="./207.wav" width=200><br>
<audio id="audio" src="./207.wav"></audio>

217.118.81.250 - ivan [11/Feb/2017:20:32:13 +0300] "GET /t/207.wav HTTP/1.0" 200 ... Safari/602.1"
217.118.81.250 - - [11/Feb/2017:20:32:15 +0300] "GET /t/207.wav HTTP/1.0" 401 ... Safari/602.1"

edited May 23 '17 at 12:08

Community

1
1

answered Feb 08 '17 at 11:51

shukshin.ivan

11,075
4
53
69

You mean ios in general? Because this problem also happens with Chrome on ios. – Roman Feb 11 '17 at 12:29
1

If you look at `User-agent`, you see something like `AppleWebKit/602.1.50 blabla Safari/602.1` *even if it is Chrome or Opera browser*. I'm not aware of internal architecture of browsers in iOs, but it looks like they use the same engine `AppleWebKit` as Safari does. – shukshin.ivan Feb 11 '17 at 17:32
3

Apple do not allow any one to create there own Browser View you must use the Safari embedded browser in there apps so Chrome, Opera, Firefox all have to use the Embedded Safari in iOS – Barkermn01 Feb 12 '17 at 01:31
@MartinBarker Thanks for that input, would be worth reputation as well, but i can only give shukshin.ivan. – Roman Feb 12 '17 at 10:55
@shukshin.ivan Thanks, completely true, also the workaround worked. As it is only one simple wav file, i guess the security issues are negligible. – Roman Feb 12 '17 at 10:56

.htaccess Password protected website requires Password at every page reload on Ipad

1 Answers1