Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

ReWriteRule and Basic Authentication

4:00 pm on Jul 2, 2011 (gmt 0)

New User

5+ Year Member

joined:July 2, 2011
posts: 1
votes: 0

I'm having a problem with removing "www." from URLs when a directory is protected with Basic Authentication. The following lines for .htaccess (or slight variations) are found everywhere on the web.

"RewriteCond %{HTTP_HOST} ^www\.(.*) [NC]"
"RewriteRule ^(.*) h ttp://%1/$1 [R=301,L]" <- I had to insert a space into "http" for the post

They work great except when a folder is protected. All of these work fine:

xyz.com --> xyz.com
www.xyz.com --> xyz.com
xyz.com/a/ --> xyz.com/a/
www.xyz.com/a/ --> xyz.com/a/

If Basic Authentication set on for folder "b", this works fine: credentials are requested and accepted.

xyz.com/b/ --> xyz.com/b/

For the following, with FF5, Chrome13, Safari5, I get a credential request with www.xyz.com as the domain and then a second one with xyz.com as the domain then I see the page. With IE9, all I get is an error page every time.

www.xyz.com/b/ --> error with IE9!

Is there something I can do differently in .htaccess? Ideally I'd like to get only one request for credentials. [Note: I don't need to hear "Don't use IE9"]

Second problem: If I have a custom error page "ErrorDocument 401 /error.php" set, then the error page always get called with a $_SERVER["REDIRECT_STATUS"] of 200 when www.xyz.com/b/ is requested. This happens on IE9, FF5, Chrome13, and Safari5. It doesn't happen with requests for xyz.com/b/.

Thanks for any suggestions,
1:44 pm on July 12, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
votes: 0

The basic problem is that mod_auth always runs before mod_rewrite, so you're going to get two auth requests (no matter what) if the hostname is incorrect and all domains are mapped to the same server filespace.

The best approach is to always link (on your site) only to the correct/canonical hostname, redirect all non-canonical requests that you can, and then "just live with it" if people are trying to log in using the non-canonical hostname.

Otherwise, you may want to consider implementing your own auth scheme, but that may be a bigger project than it's worth...

Alternately, if you have server-level config access, then you could map the canonical domain to the "normal" filespace, but map all non-canonical requests to a "special" filespace. In this special filespace, authentication/authorization can be disable, and all requests can be redirected back to the canonical domain. It is possible that you may be able to do this using the "add-on domain" feature of some control panels, but it's usually easier and much more straightforward at the server config level.

Hopefully, one or more of these ideas will help...