Bypass .htaccess login when user has a specific cookie SetEnvIf

Question

This is how my .htaccess looks like:

AuthType Basic
AuthName "FORBIDDEN AREA"
AuthUserfile "../htdocs/site/.htpasswd"
AuthGroupFile /
Require valid-user

#Allow valid-user
Order Deny,Allow
Deny from all
SetEnvIf HTTP_COOKIE my_cookie_name norequire
Allow from env=norequire
Satisfy any

My user has a cookie, and if his cookie has a name "my_cookie_name" I would like that he bypasses the .htaccess login (authentication) so that he doesn't need to enter his username and password. I tried with SetEnvIF but it does't seem to work, or am I doing something wrong. If anyone has some suggestion I would be grateful to hear it?

Thanks

anubhava · Accepted Answer · 2014-07-01T20:59:43.347

2

You can use:

SetEnvIfNoCase Cookie PHPSESSID=.* PASS=1

AuthType Basic
AuthName "FORBIDDEN AREA"
AuthUserfile "../htdocs/site/.htpasswd"
AuthGroupFile /
Require valid-user

#Allow valid-user
Order Deny,Allow
Deny from all
Allow from env=PASS
Satisfy any

edited Jul 01 '14 at 20:59

answered Jul 01 '14 at 14:23

anubhava

761,203
64
569
643

I tried it but it won't work, always, asks for user/pass. The cookie has a name: "my_cookie_name", and a value: "5". – kingSlayer Jul 01 '14 at 15:48
still same, i also put "allow from my_ip" and it still asked for username/pass, maybe it's something with httpd.conf – kingSlayer Jul 01 '14 at 19:55
How is this cookie getting created? – anubhava Jul 01 '14 at 20:16
`` – kingSlayer Jul 01 '14 at 20:28
well, it seems that this works fine with IE, and firefox after restart (and going again to private browsing) - so it's solved, it seems my browser remembered some old settings, thanks – kingSlayer Jul 01 '14 at 20:41
Ah that's right, you need to restart browser to make it forget old auth sessions. – anubhava Jul 01 '14 at 20:42
Consider accepting the answer if it worked out for you. – anubhava Jul 01 '14 at 20:44
I'll accept it for Your dedication :) But this is working fine: `AuthType Basic AuthName "Protected Login" AuthUserfile "../htdocs/site/.htpasswd" AuthGroupFile "/dev/null" SetEnvIf Cookie PHPSESSID=.* PASS=1 Order deny,allow Deny from all Allow from env=PASS Require valid-user Satisfy any` – kingSlayer Jul 01 '14 at 20:55
Thanks and I have updated answer to help out future readers on SO. – anubhava Jul 01 '14 at 21:00
Where's the name of the cookie in this answer? Does this allow ANY cookie to bypass basic auth? – Eliezer Berlin Dec 18 '22 at 09:55
Check the SetEnvIfNoCase line that is checking a specific cookie to set env variable – anubhava Dec 18 '22 at 13:08

Bypass .htaccess login when user has a specific cookie SetEnvIf

1 Answers1

Linked