This has ALWAYS worked before so I'm not sure why it isn't working now.
Scenario
I have work done in a folder that I would like a different user to view. When they visit it their username/password combo works but whenever they navigate to a different page they are prompted again with the sign in prompt. However when they use my account it works as expected.
Question
What's going on here and how can I get around it? I've made a number of attempts to get around this with no success.
Notes
- My user is a linux user on the machine
- Their user is an htaccess user with a (SHA) htpasswd record
- This didn't start happening until recently (I'm not aware of any server updates)
- I've tried this from multiple browsers, multiple OS's, multiple IP's
.htaccess
AuthUserFile /var/www/.htpasswd
AuthType Basic
AuthName "Password Required"
Require user jackson david
Order Deny,Allow
Deny from All
# jackson home
Allow from xx.xx.xx.219
Satisfy Any
Server Info
$ apache -v
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 15 2016 15:34:04
$ lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty
Best Answer
Basic authentication requires the browser to send your credentials with each HTTP request and the server will prompt you for those when you try to access a password protected area without a valid username/password.
Basic Authentication is also limited in scope and when you go outside of the initial scope your browser stops sending your known credentials with each request.
For example, given an authenticated request to:
requests to the URIs below could use the known credentials:
while the URIs
would be considered to be outside the authentication scope. If one or more of those location are also password protected (for instance with a different .htaccess file) the server will need to prompt your browser to supply credentials AGAIN.
When the domain is the same and "realm" (the value of
AuthNamei.e."Password Required") is the same for both area's on your web server the browser will first try the known credentials. If the realm is different, the browser won't use the known credentials but will show you a login prompt.With nested authentication and different "realm" values, but identical valid username/password combinations (see below) you will get slightly counter intuitive behavior that the order in which you visit the URL's matters
First going to
http://example.com/folder/docswill store your password but due to different realm you would be prompted for a password when you go outside the original context tohttp://example.com/folder.When you first visit
http://example.com/folderyour credentials are stored and will be sent automatically when you go tohttp://example.com/folder/docsas that is in the same context. Because the server won't need to prompt you for credentials your browser won't even notice that it is a different realm now.