Ad

.htaccess: If Statement To Disable Password Protection If Get Parameter Is Set

- 1 answer

I need password protection enabled, except when a certain get parameter is set.

Current working code (enables protection in folder secure):

<If "%{HTTP_HOST} =~ /^(?:.+\.)*sub\.domain\.com$/">
    SetEnvIfNoCase Request_URI "^/secure/" SECURE
</If>
Require valid-user
Order      allow,deny
Allow from  all
Deny from env=SECURE

When calling e.g. https://sub.domain.com/secure/?access_token=12345, password protection should not be enabled, something like this:

<If "%{HTTP_HOST} =~ /^(?:.+\.)*sub\.domain\.com$/">
    <If "%{QUERY_STRING} != /^access_token$/">
        SetEnvIfNoCase Request_URI "^/secure/" SECURE
    </If>
</If>

But "%{QUERY_STRING} != /^access_token$/" gives me an internal server error.

Ad

Answer

<If "%{QUERY_STRING} != /^access_token$/">

The Internal Server Error might be caused by the use of the != (not-equal) operator as used with strings instead of the !~ (not-match) operator to compare against the regex. For example, it should read:

 <If "%{QUERY_STRING} !~ /^access_token$/">

Although this is naturally successful when the QUERY_STRING is not exactly access_token. The access token value is omitted. So, maybe you also need /^access_token=12345$/.

Ad
source: stackoverflow.com
Ad