Basic Auth debugging


This page should be coming to you via a re-write , like this...

RewriteEngine on

# IF...  this is not already an HTTPS request
# AND... we are not at localhost
# THEN...dont capture the optional www; capture the rest of the host
# AND... form the new URL as an https protocol + host + request_uri   

RewriteCond %{HTTPS}		off
RewriteCond %{HTTP_HOST}	!^localhost$		[NC]
RewriteCond %{REQUEST_URI}	!^/check_auth		[NC]
RewriteCond %{HTTP_HOST}	^(?:www\.)?(.+)  	[NC]
RewriteRule ^			https://%1%{REQUEST_URI}?%{TIME}&debug=%{REQUEST_URI}	[R=302,L]


# NB: rewrite rule back-references ($N) are to the RewriteRule pattern
# NB: rewrite rule back-references (%N) to the last matched RewriteCond pattern

# special autoversionning for investigating Basic Auth
rewriteRule ^(.*)\.[\d]{10}(/index\.htm)$ $1.$2 [L]

# Configure error documents
# -------------------------
ErrorDocument 401  default  
ErrorDocument 403  default  
ErrorDocument 404  default  
ErrorDocument 500  default

Basic Auth Problems

Im finding that links to a page requiring Basic Auth are not being interpreted correctly. But this is difficult to debug because of browser caching and the inability to log-out of a Basic Auth session.

Versionning

To try to get around this, I tried adding a variation of my versionning routine to this page. .htaccess now rewrites access to .htm (sic) files as well as .js and .css. In the following two URLs, JS re-writes a link each time it is clicked (via ONCLICK="autoversion(this.href);"), to add a timestamp to the directory check_auth, viz: Go to https://sandbox.caves.org.uk/check_auth/index.htm or http://sandbox.caves.org.uk/check_auth/index.html. HOWEVER.... this does not achieve the desired result ... which I can sort of understand, if I think about it in detail.

The solution - as posted to BCA forum

Earlier, I reported that I had include a rewrite in my .htaccess file, to map non-https URLs to https, to 'encourage' customers to use the https addresses. I found, though, that this seemed to cause a Basic Auth operation to fail. (i.e. a page where you need a password to access it). This proved very hard to debug, because browsers cache the WWW-Authenticate results, and there is no easy way to log out of a Basci Auth login. However, I eventually realised that - apart ffrom some annoying tpyos in my rewrites, the problem was that the BCA server does not provide a default setting for errordocument. (I reported this to BCA "some years ago" but my report was overlooked). Until this is fixed, you need to add the following lines to your .htaccess file.

# Configure error documents
# -------------------------
ErrorDocument 401  default  
ErrorDocument 403  default  
ErrorDocument 404  default  
ErrorDocument 500  default  

I have not worked out the precise mechanism of the fault, but it an arcane combination of not being able to find an error document and trying to map http URLs to https. Adding the above lines cured the problem, only to reveal a second one. The user goes to a Basic Auth page with the http protocol and is logged in. however, because of my rewrite, he is then asked to log in to the https page, so he receives two login dialogues. This is solved by adjusting the rewrite so that it does not attempt to rewrite pages in a Basic Auth realm. Something like this...

RewriteEngine on

# IF...  this is not already an HTTPS request
# AND... we are not at localhost
# AND... we are not in a Basic Auth realm (/check_auth/ in this case)
# THEN...dont capture the optional www; capture the rest of the host
# AND... form the new URL as an https protocol + host + request_uri   

RewriteCond %{HTTPS}        off
RewriteCond %{HTTP_HOST}    !^localhost$              [NC]
RewriteCond %{REQUEST_URI}  !^/check_auth             [NC]
RewriteCond %{HTTP_HOST}    ^(?:www\.)?(.+)           [NC]
RewriteRule ^               https://%1%{REQUEST_URI}  [R=302,L]

# NB: rewrite rule back-references ($N) are to the RewriteRule pattern
# NB: rewrite rule back-references (%N) to the last matched RewriteCond pattern
ErrorDocument 401  default  
ErrorDocument 403  default  
ErrorDocument 404  default  
ErrorDocument 500  default

Logging In and Logging Out

Logging out of a Basic Auth is tricky. Try clicking here... check_auth/give_me_a_401.html