Apache Friends Support Forum

I have a problem with security setup for xampp.
I have set up a password for both, xampp pages and phpMyAdmin (statuses are all green under localhost/security/index.php).
When I try to connect to phpMyAdmin, everything is ok, it asks me for username and password. The problem occurs when I access localhost/xampp.
It connects without any authentication.
I tried clearing all history/cookies/cache in the browser and restarted apache and mySQL modules.

I have checked in C:/xampp/htdocs/xampp for the .htaccess file. It is there and it contains:

AuthName "xampp user"
AuthType Basic
AuthUserFile "C:\xampp\security\xampp.users"
Require valid-user

Authentication type is set to 'cookie'.

So what I'm trying to do is:
- limit access to localhost/xampp site, so only authorized users can see it
- if possible ask for username/password every time I try to access the site or access security page

What am I missing here?


*I also tried creating another .htaccess file in "C:/xampp/htdocs" just to see what happens. It still accesses localhost/xampp without asking for username/password, but it does ask when I try to access localhost/mantis (is in "C:/xampp/htdocs/mantis" )

Did you check the contents of C:\xampp\security\xampp.users ?

Maybe you saved username/password in browser or still have browser running when you clear the cache?

Why is explained in the comment at the very bottom of c:/xampp/apache/conf/httpd-xampp.conf

c:/xampp/apache/conf/httpd-xampp.conf wrote:#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

#Now, in http-xampp.conf the new security concept tells Apache to allow local connections. There is an implied <RequireAny> in Apache 2.4. It's is hard to find and buried in http://httpd.apache.org/docs/2.4/mod/mo ... _core.html
#When multiple Require directives are used in a single configuration section and are not contained in another authorization directive like <RequireAll>, they are implicitly contained within a <RequireAny> directive.
#Therefore when you add your Require valid-user to your htaccess, what Apache sees is this;
#<RequireAny>
#Require local
#Require valid-user
#</RequireAny>

So it is going to require any one of the two possibilities. When you are on the computer running Xampp, you are on the "local" machine and therefor it will not ask for username/password because you are allowed in by Require local statement.

Thats it!
So I've replaced the "Require local" with

<RequireAll>
Require valid-user
Require local
</RequireAll>

and it works.

Thanks!