Understand why apache authentication doesn't ask for credentials every time the page is loaded?

I've succeeded in password protecting a file in my apache web server but once the credentials are given the first time (when visiting the page) they are not asked for again. Is this normal?

Note: I have tried ctrl+F5 in my browser to refresh without usiing cached but remain logged into the page anyway. Thanks


2 Replies

Short answer: yes

Long answer: Your browser caches the credentials for the page separately from the page cache, and only deletes them when it's closed or possibly after a really long timeout (I believe Chrome might delete them after 30 days or so, as I have had it reprompt me for a page when I hadn't restarted the browser). The credentials are sent with every request, so you can invalidate them on the server just by deleting them from the htpasswd file. You can also make an incognito window (or whatever your browser of choice calls it), which won't use the existing cached credentials, but will have its own cache once you enter them for the first time (which obviously goes away once the window is closed).


Thanks for the reply. Those things are very good to know.

I'm not terribly worried about anyone using this (local) machine I'm on --unless it were stolen and hacked somehow.

I wonder if there is a way to fix the issue locally (in the client / browser)? Using an incognito window isn't a bad idea I just think it's something I wouldn't think to do.



Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct