I have customized error pages setup on my site for the 302, 401, 403, 404 and 500 HTTP error codes. The five custom error page files are stored in the home directory.
I would also like to protect a specific directory with a password and have tried doing so with cPanel's "Password Protect Directories" feature.
I should also mention that in the home directory, there is an .htaccess file, with the following:
<limit GET POST PUT>
order deny,allow
allow from all
</limit>
Options -Indexes
ErrorDocument 302 /302.php
ErrorDocument 401 /401.php
ErrorDocument 403 /403.php
ErrorDocument 404 /404.php
ErrorDocument 500 /500.php
With that out of the way, I can now explain what's currently happening with this setup. Essentially, rather than the web browser prompting for the username and password, the password-protected page simply goes straight to the 401.php error page.
I've tried moving the error pages to their own directory, /error/, I've tried using cPanel's own error page setup tool (which uses .shtml files), and I've also tried a combination of cPanel's error pages and my own.
From my testing, it seems that cPanel's .shtml error pages work, but they are ugly and don't match the theme of the website. The error pages I made, use PHP to require files for the theme, as well as to echo back the user's requested URL.
I also seemingly had the combination of both sets of error pages working, even after I reuploaded the home directory's .htaccess file, but upon removing the set that cPanel made, everything broke again. I also don't know if it's good practice to use two sets of error pages, as follows:
<HOME_DIR>
--- <DIR>
--- .htaccess (contains code for password protection)
--- index.php
--- .htaccess (links to PHP error pages)
--- 302.php
--- 302.shtml
--- 401.php
--- 401.shtml
--- 403.php
--- 403.shtml
--- 404.php
--- 404.shtml
--- 500.php
--- 500.shtml
--- index.php
This is something that I've never experienced before. From what I can ascertain, the problem is coming from the .htaccess file under the home directory, but I'm not 100% on that.
Lastly, here is the .htaccess file that cPanel created when I set up the password protection (note: "<USER>" and "<DIR>" have been used for privacy) :
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/home/<USER>/.htpasswds/public_html/<DIR>/passwd"
require valid-user
It's an Apache server, by the way. Many thanks for any advice.
It appears that I've had to convert the error page files from .php to .shtml format. Along with that, all PHP require statements have been removed in favor of plain HTML (as I couldn't get them working, not even with SSI's #include statement), and lastly I've had to replace the PHP echo for the requested URL in favor of an SSI #echo.
This was more work than necessary for such a mundane thing. I have no idea why PHP conflicted with password-protected directories. This hasn't happened before as I've used PHP error pages in the past. It must be some kind of conflict between PHP and the password protection.
Well, for what it's worth, there's a 'solution'.