1

I'm trying to password protect a specific url mydomain.com/admin in codeigniter 3.x with .htaccess and .htpasswd files. but I have a weird problem with the prompt! when it appears on the screen, normally I've to type correct username and password and hit the sign in button and the page have to be loaded! but!!!!! Either I click on cancel button or twice click on OK button in a row, the page loads and shows everything.(it has to show 401 or 403 error code)

.htaccess code is here:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
RewriteRule ^([^.]+)\.html$ $1.php [L]



SetEnvIf Request_URI .*/admin/login$ require_auth=true
AuthUserFile /home2/ashkanr1/public_html/test/.htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

The first part is mine but I found the second part here

update: I tried this code on my windows machine by wamp server and it's working on it:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
RewriteRule ^([^.]+)\.html$ $1.php [L]



SetEnvIf Request_URI .*/admin/login$ require_auth=true
AuthUserFile c:wamp64/www/test/.htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

update2: I'm using a host not a dedicated server. Can it be an issue?

Ashkan
  • 47
  • 1
  • 8
  • Is your entire website TLS secured? – Martin May 19 '20 at 23:49
  • I would suggest removing `Allow from env=!require_auth` to see if that fixes your access-if-no-details-are-given issue? – Martin May 19 '20 at 23:51
  • @Martin no my website is not using TLS right now. and when I remove ```Allow from env=!require_auth``` my entire website requests me for user and password. I need it only on one of my controllers. – Ashkan May 20 '20 at 00:02
  • If you're not using TLS then there's no point using HTTP Auth as it's a massive security hole. Seriously, re-consider your approach as currently you're trying to bar the window while leaving the doors wide open. – Martin May 20 '20 at 00:06
  • https://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https – Martin May 20 '20 at 00:07
  • @Martin But YES! if I remove this part, access-if-no-details-are-given will be OK! it shows 401 error either click cancel or OK twice. sorry, I didn't catch your question point first. – Ashkan May 20 '20 at 00:09
  • @Martin You are right but I have to do this, because my client wants it and the website will use TLS. but I'm not using TLS right now in test level. – Ashkan May 20 '20 at 00:12

1 Answers1

0

You can simplify your code to the below:

AuthName "Password Protected"
AuthUserFile /home2/ashkanr1/public_html/test/.htpasswd
AuthType Basic
require valid-user

Security Note:

If you're not using TLS then there's no point using HTTP Auth as it's a massive security hole. Seriously, re-consider your approach as currently you're trying to bar the window while leaving the doors wide open.

As a BARE MINIMUM you can use HTTP Auth with TLS to encrypt the data transport but I would highly recommend using HTTP Auth with another system layered underneath it or simply dumping it entirely and using a complete and established server-side website authentication system.

You reference that you use CodeIgniter and this has a User Authentication System inside it, which can be a good starting point to build from.

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
  • I tried this code but I get 500 Internal Server Error when submit right user and pass. And I have Server-side authentication. Actually I have two step authentication. But my client told me he wants this too! :\. Thanks for your time Martin :) – Ashkan May 20 '20 at 22:10
  • Try [reading here](https://tecadmin.net/configure-basic-authentication-in-apache-using-htaccess/) for help – Martin May 20 '20 at 22:14
  • 1
    your `AuthUserFile` should ***absolutely not*** be in `public_html` which is the world accessible folder of your server. Move it to somewhere else Now. – Martin May 20 '20 at 22:16
  • Check your `.htpasswd` file exists, too. – Martin May 20 '20 at 22:16
  • @Ashkan anywhere not in `public_html`; such as `/home2/ashkanr1/httpauth/test/.htpasswd` – Martin May 23 '20 at 12:14