httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter <>
Subject [users@httpd] htaccess AuthType Basic: some files get served without a password challenge!
Date Wed, 01 Feb 2006 10:57:12 GMT
# for basic

deny from all
AuthType Basic 
AuthUserFile /home/content/sec/pwfile
AuthGroupFile /dev/null
AuthName "Restricted Area"

This is my htaccess file and when a user accesses this dir, a username
password challenge comes up and works fine. HOWEVER certain file types are
served right away without a password challenge! Others are challenged.

I use a web hosting service, so I don't have access to their conf files. I
can only manage my htaccess files.

If a user knows a filename and tries to access it directly sometimes
he/she can.

For example:

will be served immediately with no password challenge.
Same with
of even a file with no extension
will also be served without a challenge.
always is challenged as well as

Of course, if the files don't exist mostly I get a 404 error instead of a
password challenge and sometimes just a blank screen.

My question is WHY? My hosting company uses Apache 1.3.31 and of course,
they're of little help.

I tried playing with the Limit and file directives, but they seem not to
work. I have two questions:
1) I searched the bugs and found some similar issues. Is this behavior
normal? Or, am I doing something wrong?
2) Is there a way I can protect this dir from direct file access, or do I
need to rename everything to .gif in order to protect it?

Thanks in advance.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message