How to redirect to specific page if not logged in with .htaccess

Answer explanation :

You need to implement a custom authentication, natively you can not redirect on authentication fail.

Solution :

A custom ErrorDocument implementation using an HTML meta tag to make the redirection possible on authentication fail and let the user access the protected area on authentication success (The server will always cast out a 401 on first load before entering the user and password because the browser is not expecting such authentication in the first place and get refused the access)

 AuthUserFile /path/to/users AuthName "Access Denied" AuthGroupFile /dev/null AuthType Basic Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/failed.html\"></html>" 

Alternative I :

Since Apache 2.4. you can use mod_auth_form with htaccess to make an advanced authentication and use a more reliable solution

http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html

Alternative II :

Use a php to handle 401 ErrorDocument 401 /handle.php

http://php.net/manual/en/features.http-auth.php

Extended Security :

 ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/kickout.php\"></html>" ErrorDocument 400 /kickout.php ErrorDocument 403 /kickout.php ErrorDocument 500 /kickout.php Deny from all Allow from 192.200.x.x Allow from 192.200.x.x Allow from 127.0.0.1 Allow from localhost 

I got this to work with an approach similar to AJ's. My .htaccess file is very similar to the following:

AuthUserFile /opt/www/htaccess AuthType Basic DirectoryIndex public.txt <Files "secret.txt"> require valid-user FileETag None Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" </Files> <Files "public.txt"> FileETag None Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" </Files> RewriteEngine On RewriteBase / RewriteCond %{HTTP:Authorization} !="" RewriteRule ^$ secret.txt [L] 

With this, the site behaves as follows:

1) Access the base URL -> see content from public.txt. 2) Access /secret.txt -> prompted to authenticate, and shown the contents of secret.txt. 3) Access the base URL again -> see content from secret.txt.

Using [L,R] instead of [L] will use a 302 response to handle the redirection. This is a good option if you want the redirection to be visible in the browser's location field.

<aside>Yes, I realize that this is a very late answer. The question was high in the Google search results, though, so I wanted to detail my approach in case I find myself doing the same search in the future. If anyone else benefits, it's even better.</aside>

Revised answer...I believe you can do this with mod_rewrite. Here is an example I found:

# turn on rewrite engine RewriteEngine on # if authorization header is empty (non-authenticated client) RewriteCond %{HTTP:Authorization} ^$ # redirect to new url RewriteRule /current/path /new/path 

Caveat emptor...I'm not able to test this at the moment. Give it a try though, put this in your .htaccess and change the paths to suit your environment.

You can use http authentication in PHP in addition to Apache (via .htaccess). This might give you more control.

From the manual:

if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; exit; } else { // do the redirect here? } 

I had the same question and although this is an old thread, I ended up simply using the 401 error document to display a particular page if authentication failed...

ErrorDocument 401 /not-logged-in.php 

This seemed to do the trick for me in a simple way.