Closed Bug 50251 Opened 24 years ago Closed 24 years ago

ultiple .htaccess files sharing same .htusers file

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 32335

People

(Reporter: swcox, Assigned: gagan)

References

(
URL
)

Details

Mozilla is behaving differently to Netscape 4 and IE 4/5 when handling security
set by identical .htaccess files in seperate directories on the same website -
but sharing the same .htusers file.

E.g. For website www.abc.com, lets say the .htusers file is placed in the root
/. Two seperate subdirectories /dirA and /dirF have identical .htaccess files
referring to the same /.htusers file. With older browsers, authenticating
against entering one directory - say dirA - would grant access to dirF later.
However, with Mozilla, the username and password would have to be entered twice.

I can't find the "correct" behaviour according to any w3c specs but I know of
sites with bulletin boards where this will have an effect - the board index page
being protected by one .htaccess file and the perl posting scripts being
protected by a copy in another directory - the rest of these sites being
generally open to all. (Matt wright WWWBoard scripts)

I've set up a website to demonstrate this - see below. The site is
www.swcox.uklinux.net and I've included the site's /read-me file.
I've confirmed the same behaviour on Windows nightly build 22nd Aug



I've included the /read-me file from the website: www.swcox.uklinux.net:

This web site has been set up to simply demonstrate the different implemetation
of .htaccess and .htusers files when browsing with Netscape/IE and Mozilla.

The single .htusers file is stored in the root of the web site
(www.swcox.uklinux.net)
There are two sub-directories (Area1 and Area2) which both contain identical
.htaccess files:
-----------------------------------
AuthName "Mozilla Test Board"
AuthType Basic
AuthUserFile /www/swcox.uklinux.net/.htusers
AuthGroupFile /dev/null
require valid-user
----------------------------------

There are no default/index html files on this site so visitors are presented
with the directory structure. However, once someone browses into either
Area1 or Area2 they are asked to input username and password - in this
case "user" and "password" have been configured as the approprite responses.
Once one Area has been visited, the other should allow access. This is true
with Netscape and IE but not with Mozilla M17 - requiring the username and
password to be entered twice.

This impacts on sites that use the .htaccess files to protect seperate
subdirectories with the same authentication system.
E.g. private bulletin boards protecting the board index and also seperated
posting perl scripts i.e. Matt Wright's WWWBoard.
I'm lost. Is this HTTP authentication? Reassigning to Networking.
Assignee: mstoltz → gagan
Component: Security: General → Networking
QA Contact: czhang → tever
Confirming. I've seen password entry boxes appearing more than once on multiple 
sites where just once on 4.x and IE, and I assume that's what you're talking 
about, reading through your description 3+ times.
Status: UNCONFIRMED → NEW
Ever confirmed: true
perhaps a dupe of 32335. Maybe not. From what I picked up on this one's 
description (or what I understood), you're doing something different to achieve 
the same outcome from 32335, ignoring realms. Anyone else? Reporter, is this the 
case? I don't think Mozilla does anything with .htaccess and .htusers files, 
just the server.
[swcox using work email logon] Hi, I've had a look at 32335 and this appears to 
be the same assome of the bugs marked as duplicates for 32335(double signon).

However, some of 32335's duplicates look a little different in their symptoms - 
But I'm not a coder so it all may well be the same thing.

I'm not too hot on the term 'realm' but I think my report refers to realms - 
the logon dialog that pops up when moving to a directory with a .htaccess file 
certainly asks for a username and password for that realm.

If the realm is determined by a .htusers file then there is certainly something 
odd going on as the logon popup is appearing for .htaccess files located in 
seperate directories refering to the same .htusers file. 

I'm not sure if this is occuring for only .htaccess files in totally seperate 
directores or also for when one directory is a subdirectory of another - I'll 
check that out.
Oh yes, this can be a bit of a pain when it occurs in a message board 
environment as previously mentioned (Matt Wright's WWWBoard Perl script). 
Because if a second logon prompt is reqested as a post is made, the posted 
contents are lost and not sent.
This is indeed a dupe. I've looked into this, Mozilla doesn't handle .htaccess 
or .htusers files, it's all the server. The server reads them and sends an 
appropriate header. The "Realm" is the AuthName directive. When a browser 
(Netscape, IE) sees the same realm in a different directory on the same site, 
it'll automatically send the user/pass combo from before. Mozilla ignores 
realms, and requires entry twice.

*** This bug has been marked as a duplicate of 32335 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
vrfy dupe
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.