[mod-security-users] .htaccess, AUTH, and file access
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] .htaccess, AUTH, and file access
|
From: Peter <pet...@co...> - 2006-01-31 16:19:12
|
(this message was previously submitted, but I since joined the mail list, so the mods can ignore the pending post) My .htaccess file for a directory... AuthType Basic AuthUserFile /home/content/pwfile AuthGroupFile /dev/null AuthName "Restricted Area" Require user peter My web hosting service uses Apache 1.3, and I have an issue which is curious. With the above, any attempt to access an html page, or the directory results in the proper username/password challenge. However, if a user tried to access certain files directly (assuming they know the names), sometimes a password challenge is NOT presented. For example, if a user types: http://mysecure.dir/myfile.html he will get a username/password challenge and http://mysecure.dir/myfile.gif he will get a challenge BUT http://mysecure.dir/myfile.jpg will not get challenged and the browser presents options for opening or downloading the file! No password challenge. Same with http://mysecure.dir/myfile.xls or http://mysecure.dir/myfile My question is, is this expected behavior? How can I tell which filetypes will bypass AUTH security? Are there specific commands I can add to .htaccess? I even tried deny all in <Files *>, but still I am offered a download choice. Sorry if this post does not belong here, but I do appreciate any feedback and suggestions. The hosting company is "investigating" after being able to reproduce the error. |
