You'd need to remove any authorization requirements on the CSS file and on any other elements (images, external JS, etc.) the 401 page includes. Otherwise, attempts to access them in a currently-unauthorized state will simply result in another call for authorization, which would lead to recursion. Apache prevents that, but it hides this problem by doing so.

Downside: The fix exposes your stylesheet to unauthorized access.

Also, consider this: How important is it that your custom error pages be styled? One school of design would say that if you already have an error, you do not want to introduce further dependencies and complications into the problem. I tend to think that way, and all of my custom error pages are "styled" with plain-old <font> tags and devoid of any images or other external dependencies in order to avoid this very problem. I keep my error-handlers dirt-simple and very short so that they are less likely to fail and further complicate the problem that invoked them.

Imagine the scenario where you mis-type the filename of a new, updated stylesheet on the server. So, that file goes 404-Not Found when requested by your pages. But if the 404 Error Document page also includes that stylesheet, then the 404 error page itself will cause a 404, and that's a real recursive mess.

One other approach that might work, but I haven't tried it: Instead of using an "HTML include" of <style type="text/css">@import url(mysite.css);</style>, you could use <style></style> tags around a direct SSI-include of the external style sheet. This would make the style sheet look "internal" to the error page, and so not invoke an additional authorization session.

Me, I go for simple... :)

Jim

thanks, i was wondering about that, but the strange thing is that the css file isnt within any protected directories, its in the server root. ah well, using <style> or regular tags couldnt hurt on this one page i suppose.