I have a page on my apache which I protect with Basic Auth.
With a JavaScript, I want to check if the browser has any credentials for that page or not, so I want to load the page with a jQuery ajax call, hoping for getting either the page or an 401 error.
Unfortunately, the browser always asks me for credentials in the latter case, which I do not want – I just want to know if I needed credentials or not!
I've read that the browser only asks if the WWW-Authenticate: header is set, so I want to suppress it or edit it so that the browser doesn't know it.
This is my .htaccess (the edit line comes from coderwall.com):
Authtype Basic
AuthName "abcdef"
AuthUserFile some/folder/at/the/xampp/.htpasswd
Require valid-user
Header always add HelloHello "Blupp"
Header always edit WWW-Authenticate ^Basic SR_Basic
This is (partly) what I get with curl -I <url>:
HTTP/1.1 401 Unauthorized
Date: Thu, 14 Sep 2017 12:48:52 GMT
Server: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.21
WWW-Authenticate: Basic realm="abcdef"
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Content-Type: text/html; charset=utf-8
Content-Language: en
You see, the WWW-Authenticate header is not modified, and the HelloHello header has not been applied! When I comment out the first 4 lines (the basic auth), I correctly get the HelloHello: Blupp.
Using the line Header always unset WWW-Authenticate instead brings no change.
How can I modify / suppress the header?
The problem here is the order that Apache modules are loaded and processed.
You can see the modules order running this command:
You'll see that auth_*_module are loaded before the headers_module so you cannot add headers or modify existing ones.
Viewing the Apache documentation, the loading order of the modules is determined in the module's own source code.