Hi again Blackcat!

A browser does not know that a username / password is required until it receives the Error Code 401 (Authorization Required) in response to a GET attempt....

So the browser infact receives your customised error page straight away - even before the user has had a chance to enter their username and password. Because it wouldn't look very good if this is what the users sees, browsers will not actually display the 401 document until they've let the user have a number of attempts at getting their username and password correct.

Thanks for taking the time to reply.

Can I just illustrate this in baby steps, for my sake :-/

The user enters the main site index page:

www.mysite.com/index.html

and selects the login page link

www.mysite.com/html/login.html

the web-based login form is displayed and they enter a wrong username/password which is passed to the login script to redirect to .htaccess

www.mysite.com/html/loginscript.php

.htaccess rejects it and the server issues a 401 unauthorised error

I would expect here to see my custom 401 error page, but instead get a pop-up login box. If this is filled in correctly, then everything proceeds as normal, but if it's incorrectly filled in then I see my custom error 401 page. I then see my custom page at every subsequent wrong entry from then, or the normal protected page if the correct information is entered.

I don't understand why that first 401 error results in a pop-up login box, rather than my custom page which is defined in .htaccess?

Sorry if I appear a bit stupid here, but I've been chasing this problem for the best part of a day now :-/

Hi Blackcat,

I think I see what you're doing now - and I think this problem and that you describe in your other post are related.

So you are providing your own login form in HTML, something like...

<form action="login.html">
<input type='text' name='username'>
<input type='password' name='password'>
<input type='submit'>
</form>

...kind of thing.

Then you redirect by sending the browser a 302 (redirection) to your protected page by redirecting to:

[username:password@mydomain.com...]

Ok:

1) If username and password are wrong, your server will send 401 Authorisation Required. Because this is the _first time_ the browser has seen this error for that page it will then offer the user the chance to enter a username and password - but this time of course using the browsers built in login dialog box and not your HTML form.

So i'm afraid using your current mechanism combined with the way "401 Authorisation Required" and browsers work together, you will not be able to get your custome error page displayed after the first incorrect attempt - because the browser won't display it until the user has had a few attempts.

Anyway,

2) This I think also explains the other problem you are having. Because you have sent the browser a redirect to the protected area by including the credentials within the URL, the browser has picked this up as the "BASE URL" (against which it references your relative links) and therefore displays the credentials in the status bar.

Hope this helps!

This is the script (I found it on the web after much searching).

$server = "www.mysite.com/html/myprotectedarea/";

if(isset($HTTP_POST_VARS['username']))
{
$username = $HTTP_POST_VARS['username'];
}

if(isset($HTTP_POST_VARS['password']))
{
$password = $HTTP_POST_VARS['password'];
}

?>
<script>
function redirect()
{
window.location.replace("http://<?=$username?>:<?=$password?>@<?=$server?>");
}
setTimeout("redirect();", 500);
</script>

Grrrrr...I guess I'll have to look at some other method then...

Thanks very much for your help dmorison - I appreciate it :-)