# for basic deny from all AuthType Basic AuthUserFile /home/content/sec/pwfile AuthGroupFile /dev/null AuthName "Restricted Area" This is my htaccess file and when a user accesses this dir, a username password challenge comes up and works fine. HOWEVER certain file types are served right away without a password challenge! Others are challenged. I use a web hosting service, so I don't have access to their conf files. I can only manage my htaccess files. If a user knows a filename and tries to access it directly sometimes he/she can. For example: http://mysecure.dir/file.xls will be served immediately with no password challenge. Same with http://mysecure.dir/file.ico of even a file with no extension http://mysecure.dir/file and http://mysecure.dir/file.zip will also be served without a challenge. But http://mysecure.dir/file.gif always is challenged as well as http://mysecure.dir/file.html Of course, if the files don't exist mostly I get a 404 error instead of a password challenge and sometimes just a blank screen. My question is WHY? My hosting company uses Apache 1.3.31 and of course, they're of little help. I tried playing with the Limit and file directives, but they seem not to work. I have two questions: 1) I searched the bugs and found some similar issues. Is this behavior normal? Or, am I doing something wrong? 2) Is there a way I can protect this dir from direct file access, or do I need to rename everything to .gif in order to protect it? Thanks in advance. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|