0

My site is managed by Apache on Linux. In the base directory, there is the sub folder fill. In this subfolder, there is a php script: do.php

Here is my .htaccess:

AuthType Basic
AuthName 'Welcome back'
AuthUserFile /home/provider/mysite/fill/.htpasswd
Require valid-user

Here is my .htpasswd:

ab12:2yd32253zi7Nz2

When I go to http://mysite/fill, I am asked a username and a password. When I specify them (ab12 with the password), I login successfully and see the content of index.html located in this fill folder (i.e. http://mysite/fill/index.html). Then, I clear browsing history and all the passwords saved earlier. After that, when I run the script http://mysite/fill/do.php, I am NOT asked for any authentication.

The question: is it possible to ask for credentials when running http://mysite/fill/do.php? Any changes in htaccess?

Thank you.

user54614
  • 359
  • 2
  • 6
  • 18
  • 1
    Did you clear your cookies at the same time as clearing other data? – doneal24 Sep 05 '18 at 16:24
  • Yes, I tried to clean everything including cookies. Actually, not sure the reason for this behavior is that I didn't logout properly. I tried it with a clean browser where I have never got to mysite. The problem is that I am not asked a password even when I go to mysite/fill/do.php on the clean browser... – user54614 Sep 05 '18 at 16:52

1 Answers1

1

Looking at Apache documentation on Authentication, Authorization, and Access Control, unfortunately it seems that it is not possible to logout.

So the problem is not that http://mysite/fill/do.php is not asking for credentials. The actual problem here is that you are not able to reset the authentication.

How do I log out?

Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.

Looking at this question, you might be able to reserach other ways to logout.

Victor Wong
  • 448
  • 4
  • 9
  • Hi Victor, actually, not sure the reason for this behavior is that I didn't logout properly. I tried it with a clean browser where I have never got to http://mysite. The problem is that I am not asked a password even when I go to http://mysite/fill/do.php on the clean browser... – user54614 Sep 05 '18 at 16:50
  • 1
    Can you show your full configuration? I suspect that your directory block may not be properly configured. – Victor Wong Sep 06 '18 at 02:03
  • it is exactly full configuration. There is nothing else in .htaccess and .htpassword than described above. – user54614 Sep 06 '18 at 08:59
  • 1
    Actually [this](https://stackoverflow.com/a/22271768/7323888) might solve your issues, let me know if it works. – Victor Wong Sep 06 '18 at 09:11
  • Thank you Victor. As far as I can see this solution is for quite another problem. Also, the solution includes not only a RewriteRule string in .htaccess but also some playing with basic auth in the php script itself. That's a bit strange for me. I just thought it is somehow should be implemented with .htaccess and .htpasswd only. But thank you so much for your help and attention. – user54614 Sep 06 '18 at 12:16