: Apache basic authentication without instant prompt for credentials I'm looking for away to eliminate the intrusive instant prompt for credentials when basic authentication is used and instead serve
I'm looking for away to eliminate the intrusive instant prompt for credentials when basic authentication is used and instead serve a nice page that tells the user where he is and what credentials to use if he wants to proceed.
I came up with this simple .htaccess:
# .htaccess in /auth/ of DocumentRoot
AuthType Basic
AuthName "Protected Area"
AuthUserFile /path/to/htdocs/auth/.htpasswd
<RequireAll>
# Grant access to unauthenticated users via GET
# Warning!!! Make sure redirect to "logininfo.html" works!!!
Require expr "%{HTTP:Authorization} == ''"
Require method GET HEAD OPTIONS
</RequireAll>
Require expr "%{REQUEST_URI} == '/auth/loginfail.html'"
Require valid-user
ErrorDocument 401 /auth/loginfail.html
RewriteEngine On
# show unauthenticated users a nice login info page
RewriteCond expr "%{HTTP:Authorization} == ''"
RewriteRule .* logininfo.html
It grants access without authentication when HTTP Authorization header is empty for GET/HEAD/OPTIONS requests.
All unauthenticated requests are handled by logininfo.html
POST requests (e.g. Login Button) require authentication, thus trigger the credentials prompt.
It works, but I think it is kind of risky and counter intuitive to generally grant access for users that don't authenticate. But I think it is okay in this case. Is there a security risk with this solution I've overseen?
I would also be interested in a solution for serving my logininfo.html with HTTP 401/403 instead of 200. Thanks.
More posts by @Fox8124981
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.