You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Graham Pye <gr...@gjpye.com> on 2015/11/23 20:11:37 UTC

[users@httpd] RE: Passwords on Nested Folders

For the benefit of anyone reading this later, in an archive presumably, the
problem turned out to be (most likely) caused by a long standing Firefox bug
- see the following cases for further details:

 

https://bugzilla.mozilla.org/show_bug.cgi?id=707156

https://bugzilla.mozilla.org/show_bug.cgi?id=137852

 

However, I have found that by moving my "admin" files (with a different
password) to a folder that's at the same level as the "members" files,
rather than a sub-folder of the members files has reduced the incidence of
the problem to virtually zero, i.e. it hasn't re-occurred yet :-)

 

Graham

 

 

I run a website for a local club. The site is divided into three sections,
public, members only, and administration with the files for each section in
a separate folder on the server. The members and admin folders have their
own (different!) passwords, set up in .htaccess files - I'm not a U**x
heavy, so I've used the Cpanel tool provided by our ISP to set up the
security, but as far as can I tell by looking at the files, they're all set
up OK.

Now, the problem is that using Firefox to access the admin part of the site,
occasionally the browser sends the security credentials for the members area
rather than the admin area, and as a result the server denies access. I
think that the reason for this is that the admin files are in a sub-folder
of the members files, and hence they inherit the members area's security as
well as having their own security.

It seems unlikely that this is a Firefox bug as I'm sure it would have been
detected before, but since I use that browser almost exclusively and the
problem only occurs randomly it's difficult to prove that accessing the site
without problems using IE for a while points the finger of blame at the
browser.

I've used the Firefox add-in LiveHTTPheaders to examine the headers the
browser is sending back, and hence I can see that it's sending the
credentials for the wrong part of the site, i.e. the members area, when it
goes wrong.

If I move the admin folder to a separate part of the file tree at the same
level as the members and public files is that likely to fix the problem? I
presume that if I refer to some files in other parts of the tree (to get
common CSS files, images, etc.) they will then work OK, or do I need to have
copies of them in the admin folder?

Thanks,

Graham