1

My issue:

My website consists of some files in the root folder, as well as a password-protected sub-folder, set in my htaccess. When I try to access the sub-folder it prompts me for the password, as it should. However, it prompts me for the password twice, and after entering the correct password twice, it then throws a 404 error. If I enter an incorrect password, it keeps asking for the password.

After inputting the password, I am in fact logged in, because if I try to access a specific part of that subfolder (i.e. myurl.com/subfolder/index.php), I can access it. But obviously the site shouldn't throw a 404 error first.

What I've tried:

I have seen that other people have a similar issue, regarding password-protected sub-folders and 404 errors. However, my issue is slightly different, as I actually get to input a password. Therefore the common solution of adding ErrorDocument 401 "Authorisation Required" has not solved the issue.

Code:

This is the htaccess for the root folder:

#Redirects to the https version of site
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

## Removes php extensions 
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]

#Allow password for subfolder
ErrorDocument 401 "Authorisation Required"

And this is the htacess for the subfolder:

#Password for subfolder
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile myurl/mysubfolder/.htpasswd
Require valid-user

Any help is much appreciated!

KaizerLBA
  • 23
  • 6
  • 1
    Start _debugging_ the issue by figuring out which requests are actually triggering the password prompt, using your browser dev tools. – CBroe Nov 11 '20 at 11:01
  • Maybe this is a possible solution to your answer it worked for me https://stackoverflow.com/questions/5229656/password-protecting-a-directory-and-all-of-its-subfolders-using-htaccess – Twak Nov 11 '20 at 11:39
  • Check your server logs to see exactly what's calling your files. – Martin Nov 11 '20 at 13:14

1 Answers1

0
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]

If you request the /subfolder directory (and once you are authenticated) the above mod_rewrite directives (in the root .htaccess file) will append a .php extension, ie. /subfolder/.php and result in a 404.

(Not sure why you are getting prompted twice for the password, unless this is also related to the above rewrite, or perhaps with the way the 404 is being triggered - do you have a custom 404 document defined? Do you have any other .htaccess directives?)

You need to either:

  • Include an additional condition in the above rule to exclude directories. For example:

    RewriteCond %{REQUEST_FILENAME} !-d

  • Or, in the /subfolder/.htaccess file, disable the rewrite engine, so the mod_rewrite directives in the parent .htaccess file are not processed. Although this may not be desirable.

    RewriteEngine Off
MrWhite
  • 43,179
  • 8
  • 60
  • 84