Custom 403 page is not displayed for wildcard characters


I have the following in my .htaccess file for my custom 403 page:

ErrorDocument 403 /403.php

It works fine. When I try to access a forbidden folder, it displays my custom 403.php page. However, I was testing some URL combinations to make sure my rewrite rules were working correctly and when I used * in my URL like


it gave a 403 error but it did not display my custom 403 page, it displayed server’s 403 page.

Any ideas why it doesn’t display my custom 403 page?



My guess would have been that * is a reserved character however:

[quote=]2.3. Unreserved Characters

Data characters that are allowed in a URI but do not have a reserved
purpose are called unreserved. These include upper and lower case
letters, decimal digits, and a limited set of punctuation marks and

  unreserved  = alphanum | mark

  mark        = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"

Unreserved characters can be escaped without changing the semantics
of the URI, but this should not be done unless the URI is being used
in a context that does not allow the unescaped character to appear.[/quote]

If you need to catch an oddball URI like this, I’d suggest that you write your own 404 capture in .htaccess (mod_rewrite) and either send it to your error handler script OR simply ban anyone trying to hack your website like this (add their {REMOTE_ADDR} to a list of banned IP addresses in a block).



Is there a .htaccess file inside the includes/ folder? And does it have an ErrorDocument 403 directive?

If that one is overriding the parent one then that could cause the issue you describe.

Try putting the ErrorDocument directive in your httpd.conf or vhost file.

What do you see in your access and error logs for these requests ?

It’s also worth triple checking that the 403 line definitely says ErrorDocument 403 /403.php and not ErrorDocument 403 403.php. That small typo would cause all of the symptoms you described.

Update after chat:

The final solution was to make the includes directory readable by the Apache user and add this to the .htaccess:

  <Location /includes>
    Order Deny,Allow
    Deny from all

Hi DK,

Nobody tried that URL, I just stumbled upon it while testing my site. I was just trying to figure out why my custom 403 page is displayed for regular 403 situations (i.e. when I try to access a forbidden directory), but when I use the wildcard character in the URL, the default 403 page of the server is displayed, not my custom 403 page.

@Elizine, Putting the 403 error directive in the httpd.conf file worked, thanks for the tip. It seems when there is a wildcard character in the URL, the local .htaccess file in the root directory does not handle the error, the main configuration file (httpd.conf) does. By the way, you assumed that I have an “includes” folder, no idea why you got that impression.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.