httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk Thomas / 4wd media <>
Subject [users@httpd] How to achieve mixed authentication/anonymous access
Date Wed, 14 Apr 2010 21:04:52 GMT

i have a problem with Authentification.
I currently doubt that it is possible at all.
Perhaps someone can enlighten me how to achive the goal or confirm that it is not reachable.

The scenario is to achieve a mixed authentication/anonymous access similar as described for
Subversion (see

Therefore the ".htaccess" looks something like that:
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "Realm"
    AuthUserFile "/some/path/.htusers"
    require valid-user
    Satisfy any

Additionally a PHP script is inside the same folder.
When you now browse to the URL of the PHP script, you can access it without any credentials

At some point the PHP script "decides" that authentification is required (e.g. when passing
a param like "?access-secret=1"). Therefore it sends the following two headers:
    WWW-Authenticate: Basic realm="Realm"
    HTTP/1.x 401 Unauthorized

Then you are asked to insert your username/password for the basic auth.

But now comes the problem:
How can the PHP script determine if you have provided valid credentials?
The server variables PHP_AUTH_USER and PHP_AUTH_PW are populated independent of the result
of the authentification defined in Apache.

I do explicitly not want to check the credentials in PHP - think of the many different auth-methods
which could be configured with Apache.
Nor can the anonymous and authenticated parts be split in separate folders (to use separate

Is this goal even possible or is the only way to not allow anonymous access (but for replacement
a dummy user like "guest" with no password) or implement the auth in PHP?

Any feedback is highly appreciated.

Thank you

PS: sorry if the message is posted twice - once with wrong subject...

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message