homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

ReWriteRule and Basic Authentication

Msg#: 4334156 posted 4:00 pm on Jul 2, 2011 (gmt 0)

I'm having a problem with removing "www." from URLs when a directory is protected with Basic Authentication. The following lines for .htaccess (or slight variations) are found everywhere on the web.

"RewriteCond %{HTTP_HOST} ^www\.(.*) [NC]"
"RewriteRule ^(.*) h ttp://%1/$1 [R=301,L]" <- I had to insert a space into "http" for the post

They work great except when a folder is protected. All of these work fine:

xyz.com --> xyz.com
www.xyz.com --> xyz.com
xyz.com/a/ --> xyz.com/a/
www.xyz.com/a/ --> xyz.com/a/

If Basic Authentication set on for folder "b", this works fine: credentials are requested and accepted.

xyz.com/b/ --> xyz.com/b/

For the following, with FF5, Chrome13, Safari5, I get a credential request with www.xyz.com as the domain and then a second one with xyz.com as the domain then I see the page. With IE9, all I get is an error page every time.

www.xyz.com/b/ --> error with IE9!

Is there something I can do differently in .htaccess? Ideally I'd like to get only one request for credentials. [Note: I don't need to hear "Don't use IE9"]

Second problem: If I have a custom error page "ErrorDocument 401 /error.php" set, then the error page always get called with a $_SERVER["REDIRECT_STATUS"] of 200 when www.xyz.com/b/ is requested. This happens on IE9, FF5, Chrome13, and Safari5. It doesn't happen with requests for xyz.com/b/.

Thanks for any suggestions,



WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4334156 posted 1:44 pm on Jul 12, 2011 (gmt 0)

The basic problem is that mod_auth always runs before mod_rewrite, so you're going to get two auth requests (no matter what) if the hostname is incorrect and all domains are mapped to the same server filespace.

The best approach is to always link (on your site) only to the correct/canonical hostname, redirect all non-canonical requests that you can, and then "just live with it" if people are trying to log in using the non-canonical hostname.

Otherwise, you may want to consider implementing your own auth scheme, but that may be a bigger project than it's worth...

Alternately, if you have server-level config access, then you could map the canonical domain to the "normal" filespace, but map all non-canonical requests to a "special" filespace. In this special filespace, authentication/authorization can be disable, and all requests can be redirected back to the canonical domain. It is possible that you may be able to do this using the "add-on domain" feature of some control panels, but it's usually easier and much more straightforward at the server config level.

Hopefully, one or more of these ideas will help...


Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved