Password Protection tool

Client reported tool ( wasn’t behaving.


Some time ago, the webteam decided to change their convention for providing friendly urls. They create a friendly alias in htdocs, and point it at a folder named website in the owners home directory. For example, , files in /users/u/g/ugrsrch/public_html , files in /users/u/g/ugrsrch/website

(Never mind that if both folders exist, these are now two distinct websites. Holy broken bookmarks and more, Batman.)

So, the password utility at

needed to be updated to recognize the existence and priority of a website folder. this was actually pretty easy. The tricky part is the construction of .htaccess . Given a REMOTE_USER of kapoodle, it is easy enough to generate this, to force SSL:

ErrorDocument 403

But now our client wants How do I infer

ErrorDocument 403


turns out not to be an issue: On Mar 6, 2013, at 1:42 PM, Benjamin Coddington <> wrote:

Wes, I don’t think you need to worry about forcing SSL for authentication
anymore.  A couple years ago we wrote an apache module that monitors all the
server’s responses looking for the WWW-Authenticate: Basic header, and if
the response would be sent un-encrypted the server instead hijacks the
response and turns it into a redirect to the same location over SSL.

This nicely eliminated the possibility of sending WWW-Authenticate: Basic in
plain text, and I think it also means you don’t have to worry about
SSLRequireSSL and .htaccess-https for authentication purposes.

About Wesley Wright

Born on a mountain top near New York City, Craziest state in the land of the pretty. Raised in the woods so's he knew every tree, Killed him a bear when he was only three.
This entry was posted in Wes and tagged . Bookmark the permalink.