1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:40 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

rewrite conflicts with setting authentication variables

         

gw1500se

3:09 pm on Mar 27, 2011 (gmt 0)

10+ Year Member



I have a directory that requires authentication (AuthMySQL) and I also want to force SSL. I have the authentication directives in my vhost.conf but the rewrite rule to force SSL is in .htaccess of the protected directory: 

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


The problem is when I have the rewrite on, the authentication works correctly, however, Apache does not set the '$_SERVER' PHP variables, 'PHP_AUTH_*' or 'REMOTE_USER'. The first page of the protected set depends heavily on the vaule of "$_SERVER['PHP_AUTH_USER']" When I turn off the rewrite rules, the variables are set correctly. I am hoping someone understands why this conflict occurs and how to fix it. TIA.

gw1500se

1:10 pm on Mar 29, 2011 (gmt 0)

10+ Year Member



Further investigation indicates is not the rewrite rule per se that is causing the problem but rather SSL in general. When I remove the rewrite rule and use an https URL directly, not only are the variables not set but the log in prompt doesn't come up and the user is allowed in without authenticating. This looks like a serious security problem now.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:40 pm May 1, 2026