Secure Site Using .htaccess Without Double Verification

password-page

I searched for what felt like hours for a solution to this problem. In my searching I realized that many people had a similar issue, but none of the offered solutions were working. I couldn’t get my site to stop asking me for htaccess verification twice. It would ask me over http (NOT GOOD!) and then it would ask again over https (WHAT WE WANT). If you want to learn how to make the .htaccess and .htpasswd files you can follow a great tutorial here.

This tutorial will be nice and concise, because I’m sure anyone reading this has had enough “fun” searching for an answer, and could care less about my ranting. So, here we go…

(Note: This article assumes that you know how to make and upload a .htaccess file to your server. For instructions on how to do this click here.)

 

Step 1:

The first step in securing your site with a .htaccess file is to add the following lines near the top:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This will force your site to go from http:// to https://, which is what we’re trying to accomplish.

 

Step 2:

You need to ensure that your site is only offering the .htaccess login via https://, and not http://

To do this you add the following lines after the last few:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq “mysecuresite.com”

NOTE: You need to replace “mysecuresite.com” with your own base domain. If the domain you’re trying to protect is “mydomain.com/subdomain” you simply put in “mydomain.com.”

If your domain is “subdomain.mydomain.com” your base domain will NEED to be “subdomain.mydomain.com.”

 

Step 3:

Next, we’ll add the password requirement:

AuthType Basic
AuthName “Password Protected Area”
AuthUserFile base/path/to/file/.htpasswd
Require valid-user

You need to replace “base/path/to/file/.htpasswd” with your own path.

 

To find out what your exact path is you can create a new .php file with the following lines of code in it:**

You can name it something like: mypath.php

<?php
$dir = dirname(__FILE__);
echo “<p>Full path to this dir: ” .  $dir  . “</p>“;
echo “<p>Full path to a .htpasswd file in this dir: ” .  $dir  . “/.htpasswd” . “</p>“;
?>
**Graciously borrowed from www.htaccesstools.com

 

When you’re finished with the .htaccess file it should look like this:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]SSLOptions +StrictRequire

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq “mysecuresite.com”

AuthName “Password Protected Area”
AuthUserFile base/path/to/file/.htpasswd
Require valid-user

Hopefully this helps you avoid double authentication on your site. Good luck, and happy coding!


Leave a Reply

Your email address will not be published. Required fields are marked *