htaccess + htpasswd: how to prevent executing php scripts without specifying a password

Posted on

htaccess + htpasswd: how to prevent executing php scripts without specifying a password – Problems with loading a website are often blamed on the Internet connection, but even the most perfectly set up network cannot help if there is no service to reply at your destination. One of the most popular HTTP servers used for this task is Apache2. Much of Apache’s popularity can be attributed to its easy installation and use, but never the less it is possible to run into problems with even the easiest of the software. If you’ve encountered an issue loading your web page, follow these simple troubleshooting methods outlined in this guide to attempt to get your web server back up and working again. Below are some tips in manage your apache2 server when you find problem about apache-2.2, apache-2.4, .htaccess, http-basic-authentication, .htpasswd.

My site is managed by Apache on Linux. In the base directory, there is the sub folder fill. In this subfolder, there is a php script: do.php

Here is my .htaccess:

AuthType Basic
AuthName 'Welcome back'
AuthUserFile /home/provider/mysite/fill/.htpasswd
Require valid-user

Here is my .htpasswd:


When I go to http://mysite/fill, I am asked a username and a password. When I specify them (ab12 with the password), I login successfully and see the content of index.html located in this fill folder (i.e. http://mysite/fill/index.html). Then, I clear browsing history and all the passwords saved earlier. After that, when I run the script http://mysite/fill/do.php, I am NOT asked for any authentication.

The question: is it possible to ask for credentials when running http://mysite/fill/do.php? Any changes in htaccess?

Thank you.

Looking at Apache documentation on Authentication, Authorization, and Access Control, unfortunately it seems that it is not possible to logout.

So the problem is not that http://mysite/fill/do.php is not asking for credentials. The actual problem here is that you are not able to reset the authentication.

How do I log out?

Since browsers first started implementing basic authentication,
website administrators have wanted to know how to let the user log
out. Since the browser caches the username and password with the
authentication realm, as described earlier in this tutorial, this is
not a function of the server configuration, but is a question of
getting the browser to forget the credential information, so that the
next time the resource is requested, the username and password must be
supplied again. There are numerous situations in which this is
desirable, such as when using a browser in a public location, and not
wishing to leave the browser logged in, so that the next person can
get into your bank account.

However, although this is perhaps the most frequently asked question
about basic authentication, thus far none of the major browser
manufacturers have seen this as being a desirable feature to put into
their products.

Consequently, the answer to this question is, you can’t. Sorry.

Looking at this question, you might be able to reserach other ways to logout.

Leave a Reply

Your email address will not be published. Required fields are marked *