|Apache password protected Drupal installation, password asked twice|
| 5:33 pm on Jul 23, 2010 (gmt 0)|
I have a Drupal installation and it is password protected. However, when I go to the site, I was asked to input password twice.
Any idea why?
1st time: AuthName is exactly the one I set in password file
2nd time: I was asked to enter user name and password for an AuthName that I have no idea where it is from.
Apache conf should be set up correctly. It is the first time I have such issues when it comes to set up (Apache) password protected directory.
ServerName is www.example.com
ServerAlias is example.com
DocumentRoot is /var/www/html/example
URL I visited is www.example.com/some-url
I checked error log file. And I found that it reported that user Joe was not found, where Joe is the user name I entered at the 2nd time.
| 6:13 pm on Jul 23, 2010 (gmt 0)|
What changed recently - anything?
Authentication is likely per-hostname. So be sure that since you have example.com aliased to www.example.com, all authentication requests and responses are within the www- domain. Also, redirect all requests for the non-www hostname to the www- hostname to prevent problems caused by non-canonical hostnames in incoming links to your authenticated page(s).
| 6:26 pm on Jul 23, 2010 (gmt 0)|
There is nothing changed. It is a new request from my co-workers to add password protection to this site; it was open to public before.
AuthName "Secure Area"
The first time I visit, the pop-up window asks me user name and password for AuthName "Secure Area", which is right. But then another one asks me for AuthName something else, which I have no idea with.
The other odd thing I notice is that above apache conf works fine for another Drupal installation that hosted on the same server.
I highly suspect it is because of something with Drupal but I cannot figure out yet.
| 7:10 pm on Jul 23, 2010 (gmt 0)|
I figured out it is because of a drupal module: [drupal.org...]
Not my fault :)
| 1:54 pm on Jul 24, 2010 (gmt 0)|
And what was that module doing -- redirecting to a different www/non-www hostname after the authentication, as I postulated?
Again, you should put a redirect in place to make sure that requests for the non-canonical hostname get redirected to the canonical hostname. But only after making sure that nothing on your own site ever links to the non-canonical hostname. That is, the purpose of the redirect is mainly to prevent *other sites* from linking incorrectly to your site, and sending visitors through the "two-login" loop that you encountered...
The likelihood of someone (another webmaster) linking to the wrong hostname goes down if they themselves get redirected to the correct hostname when visiting your site. It doesn't eliminate the problem completely, but it helps a lot.