Apache .htaccess trick to authenticate only once for all subdomains? [duplicate]

I'm using something like this in .htaccess file to restrict access to the website:

AuthUserFile /some/directory/.passwd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require valid-user

This works fine but the user is asked to authenticate each time a subdomain is changed, like user1.mywebsite.com, user2.mywebsite.com or just mywebsite.com

Is there a way to tell Apache2 that when a user is authenticated against one subdomain, it should grant him access to all others as well?


Solution 1:

Not possible; you can use a single .htaccess file to grant access to anything in your directory tree with the same credentials, but authentication is required for each unique subdomain.

As Benny points out, you'll need session-based authentication in some form to accomplish this.

Solution 2:

It is impossible to do such thing by http basic auth specs. Realms bob.example.com and elisa.example.com are two different protection spaces and almost every browser will treat them as 2 seperate,different realms to whom different authentification credentials should be suplied.

How ever, there is solution - HTTP digest auth . It allows you to specify all domains that are URLs in protection space. However, it does not allow wildcard subdomains, so after dozen of domains it gets quite a PITA. Example config .

<Location />
  AuthType Digest
  AuthName "teh realm"
  AuthDigestAlgorithm MD5
  AuthDigestDomain / http://domain.com/ http://subdomain.domain.com/ 
  AuthDigestQop auth
  AuthDigestProvider file
  AuthUserFile /etc/apache2/.htpasswd-digest
</Location>

IMO, that your only choice is to write own FastCGI authenticator who users cookies, who allow wildcard subdomains . If you have few domains, its easier to stick with digest.