.htaccess protecting directories?

jc94062

This isn't exactly PHP but its the best place I can think of to post it.
I'm trying to use .htaccess to prevent access to some of my pages (specifically the admin part of a phorum db I'm trying atm) Well, I've found that if I go in without the htaccess, then upload htaccess I can still get it without a username/password.

If I've already been into the directory I can go cancel (or get pw wrong 3 times in a row) then click back, and forward on my browser and I go right in! This doesn't work if I put the .htaccess into a directory where I haven't been before, but it does mean that if theres a user whos name is removed from .htaccess, he/she can still get in for days (at least 3) afterwards!

Is there anyway to stop this, and does this "bug" ever expire?!

Thanks

[deleted]

You could be seeing a cached copy of the page that you are nolonger allowed to access.
If you have properly setup the .htaccess file, you should not be able to get in at all if you don't have a proper username/password combo.
Check your webserver logfiles to see if you did actually get in.

Also, you may want to check your webserver setup, because some webservers can de configured to ignore or partially ignore the htaccess files, to stop people from granting themselves rights that the webserver denies by default.

jc94062

Ah, thanks, I altered it to say Hello, it didn't, until I went it properly, so its just cached (and won't let me upload, so thats not too bad)

Incidently, I added this line to the end of my .htaccess file

ErrorDocument 401 http://www.mysite.com/unauth.php

to try and give a default error msg, it doesn't work, gives me the normal one, any idea why?

Thanks again

Anon

in reply to your 401 error... MSIE 5.0 sux. it will not show some error documents, i find particularly 404's it will insert its own. 403/500's are usually allowed.

Anyways -does anyone have any answer to this .htaccess expiration problem? I encountered the same thing - and it scared me!

I found this http://www.sambar.com/syshelp/htaccess.htm interesting, but i dont know if samvar = apache = normal web servers.

Otherwise, i think putting some form of meta tag in EVERY SINGLE html page is the only option. which kinda sux if you have a BLANK DIRECTORY LISTING you are trying to block.

-- Alan!