.htaccess prompt for password

Question

Might there be a way to set one's .htaccess file to prompt for authentication each time? Example: I open a browser tab, go to the pw protected url, I'm prompted for a pw. Close the tab (main browser still open) and repeat the above and be prompted for the pw again. This is not happening unless I close the browser. Maybe this is a caching thing?

Here's what I have so far:

AuthType Basic
AuthName "myName"
AuthUserFile "/home/myDir/.htpasswds/public_html/myName/passwd"
require valid-user

Thanks in advance.

Answer 1

Actually it is working this way (simplified):

• browser sends request to your server without credentials
• Apache responses with 403 error because "require valid-user" was specified
• browser prompts for username & password
• browser sends request again, this time credentials are provided
• Apache verifies credentials against AuthUserFile and sets "valid-user" accordingly
• if everything is OK - puts out data with 200 status code
• browser that receives 200 code caches used credentials for the relevant domain until browser session expires

As you see - problem lays in browser. You cannot force browser to forget password it uses for a domain. And usually you don't want to - for example if password protected page contains images - browser would require username and password for each downloaded image.

However there are some tips you could try:

• you could write your own Apache authorization handler that only authorises user every second time it is accessing the page; but it's hard to do really
• you could use some kind of form-based authentication (in script like php or asp.net) instead of relying on http authentication; this way is quite flexible
• you could do a trick, that every time a protected page is accessed some kind of script changes the password in passwd file; then provide two passwords for each user and switch them on each request; this way browser always remember "wrong" password; it seems crazy but this is an easiest solution I could think of :-)