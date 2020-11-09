Apache basic authentication not prompting for .php files

I’ve got a directory in my website that contains two files: test.html and test.php I’ve enabled Apache’s basic authentication on this directory and set up a username/password. I expect that when I start a new browser session and try to access either of these files that I should be prompted to enter a username/password. If I enter a valid username/password then subsequent access of either file in the same browser session should not prompt for a username/password but just serve the file. However this isn’t what I’m seeing.

If I start up a browser and access www.mywebsite.com/test.php then I get a “File not found” error. I don’t get prompted for a username/password.

If I start up a browser and access www.mywebsite.com/test.html then I get prompted for a username/password. If I enter the username/password then the test.html page is displayed. I can then access the test.php page and that page is displayed ok.

Am I wrong in expecting to be prompted for a username/password when I access the .php file directly for the first time in a browser session? I’m sure in the past that’s how its worked on my web host when I’ve protected directories.

I’m using PHP 7.0.33-0ubuntu0.16.04.16, the Server API is FPM/FastCGI, Apache/2.4.18 (Ubuntu).

Can you post your full configuration, including eventual .htaccess files?

The .htaccess file looks like this:

Allow from 60.234.45.150

# DYNAMIC CONTENT DO NOT MODIFY
Allow from 60.234.45.150
Deny from all
AuthType Basic
AuthUserFile /var/users/aweb4u/test7.aweb4u.co.nz/htdocs/.htpasswd
AuthName "SECURE PAGE"
Require valid-user
Satisfy any

The .htaccess and .htpasswd files are generated by my web host’s console but I can edit the .htaccess file directly if I need to (I only have FTP access, no shell access).

If you want to test the files directly then they are:

http://test7.aweb4u.co.nz/test.php
http://test7.aweb4u.co.nz/test.html

Username: test
Password: test

Contents of test.html:

<html>
  <head>
    <title>This is test.html</title>
  </head>
  <body>
    <p>This is test.html</p>
  </body>
</html>

Contents of test.php:

<html>
  <head>
    <title>This is test.php</title>
  </head>
  <body>
    <p><?php echo 'This is test.php'; ?></p>
    <p>Running on PHP <?php echo phpversion(); ?></p>
  </body>
</html>

Note that all of this is just a test subdomain that I set up to test this while I’m troubleshooting. Once I get a solution I’ll be deleting all of this. I haven’t approached my web host yet as I wasn’t sure if I was making some sort of mistake.

To me this looks fine. I’d ask your host if I were you. There might be something in the main apache configuration clashing with this, which is impossible to know without seeing that configuration.

Also, just to cover a few… helpdesk-level-1 sort of responses you’re likely to get…

  • How are you starting a ‘new’ browser session?
  • Have you tried turning on Incognito/Private Browsing mode and gone to the same page, to make sure that your browser isnt sneaky-caching your credentials and/or the page itself?
    ** Have you tried going to test.php?q=0893808324098234 (rudimentary cache-busting)?
Thanks guys, looks like we’ve covered all the obvious stuff. I’ve got a support ticket in with the hosting company so I’ll just have to wait and see what they say. My reason for asking here was just to make sure that I wasn’t overlooking something obvious or making a silly mistake.