htaccess exclude one url from Basic Auth

Question

I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank or /callbacks/.*

Answer 1

Another approach works like this, if the area you are protecting has a monolithic PHP script controlling everything, like Wordpress. Set up Authentication with in a different directory. Put an index.php there that sets a cookie on path '/'. Then in Wordpress (for example), check the cookie, but bypass the check if $_SERVER['REQUEST_URI'] is the excluded URL.

On my shared hosting platform, RewriteRule could not set an environment variable that worked with "Satisfy any".

With any approach, watch out that the page you are protecting does not include images, stylesheets, etc., that trigger an authentication request when the page itself does not.

Answer 2

Using SetEnvIf, you can create a variable when the request starts with some path, then use the Satisfy Any directive to avoid having to login.

# set an environtment variable "noauth" if the request starts with "/callbacks/"
SetEnvIf Request_URI ^/callbacks/ noauth=1

# the auth block
AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd

# Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth

The allow/deny chunk of directives says that deny access for EVERYONE, except when there is a valid-user (successful BASIC auth login) or if the noauth variable is set.