httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter <pete4...@comcast.net>
Subject [users@httpd] htaccess AuthType Basic: some files get served without a password challenge!
Date Wed, 01 Feb 2006 10:57:12 GMT
# for basic

deny from all
AuthType Basic 
AuthUserFile /home/content/sec/pwfile
AuthGroupFile /dev/null
AuthName "Restricted Area"

This is my htaccess file and when a user accesses this dir, a username
password challenge comes up and works fine. HOWEVER certain file types are
served right away without a password challenge! Others are challenged.

I use a web hosting service, so I don't have access to their conf files. I
can only manage my htaccess files.

If a user knows a filename and tries to access it directly sometimes
he/she can.

For example:

http://mysecure.dir/file.xls
will be served immediately with no password challenge.
Same with
http://mysecure.dir/file.ico
of even a file with no extension
http://mysecure.dir/file
and
http://mysecure.dir/file.zip
will also be served without a challenge.
But
http://mysecure.dir/file.gif
always is challenged as well as
http://mysecure.dir/file.html

Of course, if the files don't exist mostly I get a 404 error instead of a
password challenge and sometimes just a blank screen.

My question is WHY? My hosting company uses Apache 1.3.31 and of course,
they're of little help.

I tried playing with the Limit and file directives, but they seem not to
work. I have two questions:
1) I searched the bugs and found some similar issues. Is this behavior
normal? Or, am I doing something wrong?
2) Is there a way I can protect this dir from direct file access, or do I
need to rename everything to .gif in order to protect it?

Thanks in advance.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message