# .htaccess challenging non-protected area

## audiodef

I set up an .htaccess file for an administration area of one of my sites. I've had users complain to me that they are getting an HTTP challenge when they are visiting the main site. I can't see why. This is my .htaccess file:

```

AuthName "(site) Administration"

AuthType Basic

AuthUserFile /some/dir/.htpasswd

Require valid-user

```

When I go to (site)/(admin area), I get the HTTP challenge. When I go to (site), I get no challenge. Yet, other users have gotten the challenge when they go to (site). 

.htaccess is inside (site)/(admin area). 

What's going on?

Anyone getting an HTTP challenge for http://abusedmen.org?

----------

## eccerr0r

I do get a prompt to enter a user/password by http://audiodef.com for "Synthetronica Administration"

Hitting "cancel" allows opening the main page.

Is this .htaccess for this main page or a parent directory of the page?

I also see this basic auth challenge on your http://audiodef.com/projects.php?project_id=1 link in your signature as well as the main audiodef.com page.

----------

## audiodef

This is not good. 

I just tried removing the Piwik code from one of my sites and a user was able to go there without getting an auth challenge. 

This is the code, straight from Piwik's control panel:

```

<!-- Piwik -->

<script type="text/javascript">

var pkBaseURL = (("https:" == document.location.protocol) ? "https://audiodef.com/piwik/" : "http://audiodef.com/piwik/");

document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));

</script><script type="text/javascript">

try {

var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 2);

piwikTracker.trackPageView();

piwikTracker.enableLinkTracking();

} catch( err ) {}

</script><noscript><p><img src="http://audiodef.com/piwik/piwik.php?idsite=2" style="border:0" alt="" /></p></noscript>

<!-- End Piwik Tracking Code -->

```

What the heck in Piwik produces an auth challenge?!  One that fails anyway?  :Shocked:   :Evil or Very Mad: 

----------

## eccerr0r

I didn't check if I got a 401 on those basic auth pages by cancelling them (probably though).  Still looks like an htaccess issue rather than javascript...

----------

## Hu

The server should not serve any password-restricted resource if you do not supply the password.  Since the page appears to be served, I suspect that the main page is not restricted, but that it includes one or more resources (images, scripts, etc.) that are restricted.  When you refuse to give a valid user, those secondary resources are withheld, but the site is sufficiently complete that the difference is not obvious.  I suggest using a web development tool, such as Firebug (if using Firefox), to inspect all the HTTP transactions initiated when visiting the main page.  That should show you which resource(s) are restricted.

----------

## audiodef

I posted to the Piwik forums and got a response from an admin. If you .htaccess-protect the Piwik dir, all sites tracked by Piwik will produce an auth challenge. I've thus decided to look into using an Apache directive instead of .htaccess to prevent stray users from seeing my Piwik page.

----------

