See the directives SetEnvIf, Order, Allow from env=<var>, and "Satisfy any". Long list, yes, and a difficult cure for one of the least-well implemented features of Apache...

Basically, you tell the server that if the Request_URI is NOT the root directory or a small number of protected directories, then allow access even without 'valid-user'.

I believe there's an example in one of the Apache.org tutorials cited in our Forum Charter.

Jim

I don't want to type all the directories to protect because there are hundreds, i just want to list a few that don't need protection.

Sorry, you can do it either way. Use a positive URL match or negative URL match. Allow a few or Deny a few. Combinatorially, there are four ways to do it, two of which you can use.

Jim

ok, sorry, im looking though the stuff at apache and seems like greek, can you help?

here is my set up

home server
php
mysql
phpmyadmin

im using htaccess to force password when entering site
i want to remove that password over the folder for my phpmyadmin
phpmyadmin has its own password and the two seem to be conflicting

so id like to do something like this

password protect all directories with the same login, pass omit folder /phpmyadmin/ and use its own login, pass

ive got this in there but dont quite understand it

SetEnvIf Request_URI "/phpMyAdmin/$" allow_all
Order allow,deny
Allow from env=allow_all
Satisfy any

this is my .htaccess file which protects the whole htdocs directory, how do i modify this to remove the password protection from the /phpmyadmin/ that is inside the htdocs directory?

AuthUserFile "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/.htpasswd"
AuthName "Password Protected"
AuthType Basic
require valid-user

The only major thing I see wrong is that your phpadmin path was end-anchored, meaning that only the directory-index at /phpmyadmin/ would have been "allowed," and no other files below that. There was also no start-anchor on that URL-path, which leaves a potential 'security hole' due to URL-path ambiguity, and which should be corrected.

This stuff never seems to work the way one thinks it should...

Here is my best guess, and because I always seem to struggle with it just like everyone else, it is only a guess:

# Define Auth file, realm, and type 
AuthUserFile "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/.htpasswd"
AuthName "Password Protected"
AuthType Basic
#
# Set access control evaluation priority -- Allows override Denys
Order Deny,Allow
#
# Treat "Require" and "Allow" directives as equivalent
Satisfy any
#
# Detect always-allowed URL-path(s) 
SetEnvIf Request_URI [b]"^/p[/b]hpMyAdmi[b]n/"[/b] allow_all
#
# Default access state if not authorized or not requesting an always-allowed URL-path is "Deny"
Deny from all
#
# Allow authorized users
Require valid-user
#
# Allow everybody to access always-allowed URL-path(s)
Allow from env=allow_all

Jim

thanks, that seems to work. however the password that was associated with phpmyadmin no longer comes up. im assuming that is because the htaccess is overwriting it.

is there a way to use htaccess to make a direcoty hidden or not visible?

oh, but now i see that if i wasn't already in the 1st session. if i go straight to the phpmyadmin index it asks for that original password. so it seems its all good now.

is it possible to have two passwords?
meaning 1 to log into the main directory and another to go into a sub directory

Yes, it's possible, but then you'd have to log in to the top-level directory to get access to the phpmyadmin directory, and once there, you'd have to log in a second time. This would be true even if you directly-requested the phpymyadmin directory, because .htaccess files are applied top-down.

This is the basic problem you are fighting. It is more usual to have the top-level directories open, and to place restricted content in subdirectories below that open level.

Jim

I would not mind having to log in twice, that actually might be preferred in this case.

Let me explain my current set up.
Home test server where I build websites etc
everything is in the root directory including phpmyadmin
should i have a directory named websites and put all websites in that directory and pass protect that? and leave the rest open? and then have separate login for the phpmyadmin directory? also im using vhosts to instruct the exact location of each website directory, so in essence in would not be too hard to put them all in a websites directory?