Apache htaccess passwd - ignoring correct login

Question

I want to password protect a directory. I'm running Apache 2 with cPanel on Centos.

For the sake of this post, the directory is /home/user/my-secret-dir

I used cPanel's "Password Protect Directories" to create the login details, which it stored in a new /home/user/.htpasswds/my-secret-dir/passwd file.

What it didn't do is create the AuthType configuration anywhere - I could simply access the directory without prompts (it's just got a generic index.html whilst I get this working).

So I created /home/user/my-secret-dir/.htaccess myself, with the following contents:

AuthType Basic
AuthName "My Secret Directory"
AuthUserFile "/home/user/.htpasswds/my-secret-dir/passwd"
require valid-user

This now causes the browser to prompt for login details, but upon entering the correct username and password it behaves as if they were wrong and re-prompts for the details.

The details I'm entering are definitely correct.

I've previously setup a password protected directory on this same server (though for different account/domain) and that worked fine (and still works), and I've compared the two and can't see any significant differences.

Any ideas what might be causing the continual prompts, and how I can fix it?

Answer 1

This was a permissions issue - Apache was unable to access the auth file, so was treating everything as invalid.

Checking the logs revealed:

(13)Permission denied: Could not open password file: /home/user/.htpasswds/my-secret-dir/passwd

Turns out the /home/user/.htpasswds directory had existed before now, and had incorrect permissions on it.

I updated the permissions so Apache was able to access it, and then logging in worked as expected.