Apache basic authentication not prompting for .php files

I’ve got a directory in my website that contains two files: test.html and test.php I’ve enabled Apache’s basic authentication on this directory and set up a username/password. I expect that when I start a new browser session and try to access either of these files that I should be prompted to enter a username/password. If I enter a valid username/password then subsequent access of either file in the same browser session should not prompt for a username/password but just serve the file. However this isn’t what I’m seeing.

If I start up a browser and access www.mywebsite.com/test.php then I get a “File not found” error. I don’t get prompted for a username/password.

If I start up a browser and access www.mywebsite.com/test.html then I get prompted for a username/password. If I enter the username/password then the test.html page is displayed. I can then access the test.php page and that page is displayed ok.

Am I wrong in expecting to be prompted for a username/password when I access the .php file directly for the first time in a browser session? I’m sure in the past that’s how its worked on my web host when I’ve protected directories.

I’m using PHP 7.0.33-0ubuntu0.16.04.16, the Server API is FPM/FastCGI, Apache/2.4.18 (Ubuntu).

Can you post your full configuration, including eventual .htaccess files?

The .htaccess file looks like this:

Allow from 60.234.45.150

# DYNAMIC CONTENT DO NOT MODIFY
Allow from 60.234.45.150
Deny from all
AuthType Basic
AuthUserFile /var/users/aweb4u/test7.aweb4u.co.nz/htdocs/.htpasswd
AuthName "SECURE PAGE"
Require valid-user
Satisfy any

The .htaccess and .htpasswd files are generated by my web host’s console but I can edit the .htaccess file directly if I need to (I only have FTP access, no shell access).

If you want to test the files directly then they are:

http://test7.aweb4u.co.nz/test.php
http://test7.aweb4u.co.nz/test.html

Username: test
Password: test

Contents of test.html:

<html>
  <head>
    <title>This is test.html</title>
  </head>
  <body>
    <p>This is test.html</p>
  </body>
</html>

Contents of test.php:

<html>
  <head>
    <title>This is test.php</title>
  </head>
  <body>
    <p><?php echo 'This is test.php'; ?></p>
    <p>Running on PHP <?php echo phpversion(); ?></p>
  </body>
</html>

Note that all of this is just a test subdomain that I set up to test this while I’m troubleshooting. Once I get a solution I’ll be deleting all of this. I haven’t approached my web host yet as I wasn’t sure if I was making some sort of mistake.

To me this looks fine. I’d ask your host if I were you. There might be something in the main apache configuration clashing with this, which is impossible to know without seeing that configuration.

Also, just to cover a few… helpdesk-level-1 sort of responses you’re likely to get…

  • How are you starting a ‘new’ browser session?
  • Have you tried turning on Incognito/Private Browsing mode and gone to the same page, to make sure that your browser isnt sneaky-caching your credentials and/or the page itself?
    ** Have you tried going to test.php?q=0893808324098234 (rudimentary cache-busting)?
1 Like

Thanks guys, looks like we’ve covered all the obvious stuff. I’ve got a support ticket in with the hosting company so I’ll just have to wait and see what they say. My reason for asking here was just to make sure that I wasn’t overlooking something obvious or making a silly mistake.

1 Like

Just as a follow up, the hosting company have come back to me and said they’ve fixed the issue. They didn’t say what caused it but I’ve verified that it indeed is fixed, so must have been some sort of misconfiguration at their end.

4 Likes