Closed Bug 50251 Opened 24 years ago Closed 24 years ago

ultiple .htaccess files sharing same .htusers file

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 32335

People

(Reporter: swcox, Assigned: gagan)

References

(
URL
)

Details

Mozilla is behaving differently to Netscape 4 and IE 4/5 when handling security set by identical .htaccess files in seperate directories on the same website - but sharing the same .htusers file. E.g. For website www.abc.com, lets say the .htusers file is placed in the root /. Two seperate subdirectories /dirA and /dirF have identical .htaccess files referring to the same /.htusers file. With older browsers, authenticating against entering one directory - say dirA - would grant access to dirF later. However, with Mozilla, the username and password would have to be entered twice. I can't find the "correct" behaviour according to any w3c specs but I know of sites with bulletin boards where this will have an effect - the board index page being protected by one .htaccess file and the perl posting scripts being protected by a copy in another directory - the rest of these sites being generally open to all. (Matt wright WWWBoard scripts) I've set up a website to demonstrate this - see below. The site is www.swcox.uklinux.net and I've included the site's /read-me file.
I've confirmed the same behaviour on Windows nightly build 22nd Aug I've included the /read-me file from the website: www.swcox.uklinux.net: This web site has been set up to simply demonstrate the different implemetation of .htaccess and .htusers files when browsing with Netscape/IE and Mozilla. The single .htusers file is stored in the root of the web site (www.swcox.uklinux.net) There are two sub-directories (Area1 and Area2) which both contain identical .htaccess files: ----------------------------------- AuthName "Mozilla Test Board" AuthType Basic AuthUserFile /www/swcox.uklinux.net/.htusers AuthGroupFile /dev/null require valid-user ---------------------------------- There are no default/index html files on this site so visitors are presented with the directory structure. However, once someone browses into either Area1 or Area2 they are asked to input username and password - in this case "user" and "password" have been configured as the approprite responses. Once one Area has been visited, the other should allow access. This is true with Netscape and IE but not with Mozilla M17 - requiring the username and password to be entered twice. This impacts on sites that use the .htaccess files to protect seperate subdirectories with the same authentication system. E.g. private bulletin boards protecting the board index and also seperated posting perl scripts i.e. Matt Wright's WWWBoard.
I'm lost. Is this HTTP authentication? Reassigning to Networking.
Assignee: mstoltz → gagan
Component: Security: General → Networking
QA Contact: czhang → tever
Confirming. I've seen password entry boxes appearing more than once on multiple sites where just once on 4.x and IE, and I assume that's what you're talking about, reading through your description 3+ times.
Status: UNCONFIRMED → NEW
Ever confirmed: true
perhaps a dupe of 32335. Maybe not. From what I picked up on this one's description (or what I understood), you're doing something different to achieve the same outcome from 32335, ignoring realms. Anyone else? Reporter, is this the case? I don't think Mozilla does anything with .htaccess and .htusers files, just the server.
[swcox using work email logon] Hi, I've had a look at 32335 and this appears to be the same assome of the bugs marked as duplicates for 32335(double signon). However, some of 32335's duplicates look a little different in their symptoms - But I'm not a coder so it all may well be the same thing. I'm not too hot on the term 'realm' but I think my report refers to realms - the logon dialog that pops up when moving to a directory with a .htaccess file certainly asks for a username and password for that realm. If the realm is determined by a .htusers file then there is certainly something odd going on as the logon popup is appearing for .htaccess files located in seperate directories refering to the same .htusers file. I'm not sure if this is occuring for only .htaccess files in totally seperate directores or also for when one directory is a subdirectory of another - I'll check that out.
Oh yes, this can be a bit of a pain when it occurs in a message board environment as previously mentioned (Matt Wright's WWWBoard Perl script). Because if a second logon prompt is reqested as a post is made, the posted contents are lost and not sent.
This is indeed a dupe. I've looked into this, Mozilla doesn't handle .htaccess or .htusers files, it's all the server. The server reads them and sends an appropriate header. The "Realm" is the AuthName directive. When a browser (Netscape, IE) sees the same realm in a different directory on the same site, it'll automatically send the user/pass combo from before. Mozilla ignores realms, and requires entry twice. *** This bug has been marked as a duplicate of 32335 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
vrfy dupe
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.