1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 6:41 am Jun 18, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Using mod-rewrite to check for authenticated users

         

JohnKelly

6:05 pm on May 20, 2005 (gmt 0)

10+ Year Member



If a user attempts to access www.domain.dom/test/dir without logging in, I want to use mod_rewrite to redirect to the parent directory at www.domain.com/test to login them in. www.domain.com/test has basic authentication enabled.

Here's the .htaccess file I'm using in the www.domain.com/test/dir directory:

RewriteEngine on
RewriteCond %{AUTH_USER} ^(.*)
RewriteRule ^/(.*) [domain.com...]

It still doesn't work. It asks for authentication without redirecting to the parent directory. Does Apache check the parent directory .htacess first, and then stop?

jdMorgan

7:39 pm on May 20, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



> RewriteCond %{AUTH_USER} ^(.*)

The regular expression "^(.*)" will match anything, including blank.

"RewriteCond %{AUTH_USER} .+" might be better.

I'm also not sure about {AUTH_USER} -- it's not in the list of variables that RewriteCond can check. {REMOTE_USER} is a valid varname, if that's what you meant to use.

> Does Apache check the parent directory .htacess first, and then stop?

This depends on the server config and RewriteOptions. If 'inherit' is not set, then subdirectories won't inherit the .htaccess configurations above that subdirectory.

Jim

JohnKelly

12:59 am on May 21, 2005 (gmt 0)

10+ Year Member



I found this in the Apache docs:


There is the special format %{LA-U:variable} for look-aheads which perform an internal (URL-based) sub-request to determine the final value of variable. Use this when you want to use a variable for rewriting which is actually set later in an API phase and thus is not available at the current stage. For instance when you want to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you have to use %{LA-U:REMOTE_USER} because this variable is set by the authorization phases which come after the URL translation phase where mod_rewrite operates. On the other hand, because mod_rewrite implements its per-directory context (.htaccess file) via the Fixup phase of the API and because the authorization phases come before this phase, you just can use %{REMOTE_USER} there.

So I changed by .htaccess in www.domain.com/test/dir/ to:

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER}!.+
RewriteRule .* [domain.com...] [QSA,L]

But this causes a loop. I feel like I'm getting closer...

jdMorgan

1:10 am on May 21, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Read that quote again, though; It's quite specific. Since you're checking remote_user in .htaccess, you don't need (and probably should not use) the LA-U format.

At any rate, you can stop a loop by checking to see if you are already at the target URL: 


RewriteEngine On
RewriteCond %{REQUEST_URI} !^/test/
RewriteCond %{LA-U:REMOTE_USER} ^$
RewriteRule .* http://www.domain.com/test/ [R=302,L]

You don't need [QSA] unless you want to add something to the existing query string.

Jim

[edited by: jdMorgan at 1:11 am (utc) on May 21, 2005]

JohnKelly

1:10 am on May 21, 2005 (gmt 0)

10+ Year Member



<added>
There is a space before the! in the code above, the board munged the code.
</added>

JohnKelly

1:25 am on May 21, 2005 (gmt 0)

10+ Year Member



Checking for the target URL in the code you supplied never redirects back to /test/index.php to log hits. I modified the code as below:

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://www.domain.com/test/index.php
RewriteCond %{LA-U:REMOTE_USER} ^$
RewriteRule .* [domain.com...] [L]

But this loops as before.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 6:41 am Jun 18, 2026