The HTTP authentication (httpauth) module will be deprecated in favour of Secure Site (securesite), and we need to make sure we don't lose any functionality in the process. There is one feature missing in securesite.

httpauth forces authentication on restricted pages but only on certain paths. This functionality is to keep the authentication away from users visiting using their normal browser (by limiting it to RSS paths such as */feed and index.rss).

Proposal is to add a text field called Only force authentication on the following restricted pages. If this text field is empty, all paths match. If this text field is not empty, it is interpreted like the Show only on pages option for blocks. Preferably this field would dynamically appear depending on the selected Force authentication setting.

Members fund testing for the Drupal project. Drupal Association Learn more


decafdennis’s picture

Title: Add 'On certain restricted pages' setting » Add 'Only force authentication on the following restricted pages' setting
Darren Oh’s picture

Version: 6.x-2.1 » 6.x-2.x-dev

I think what we need is something less than forced authentication. An optional HTTP authentication that would show the anonymous user version of the page if the user cancels the authentication dialog. It might be best to have a separate tab on the settings page for this.

Darren Oh’s picture

Assigned: Unassigned » Darren Oh
Status: Active » Needs work
2.25 KB

I lost most of the work I did on this, but here is a patch of what I could save.

salvis’s picture

#2: Maybe that can be useful as well, but SecureSite for D5 used to offer exactly what naquah described in the OP, and this is must-have functionality in my book.

If a feed is protected, then every access by every feed reader causes a watchdog 'access denied' entry, which is a royal pain. There is no "anonymous user version" of those pages — only the 'access denied' page and the watchdog entry.

And, just like naquah, I'd like to get the login dialog only for feed paths and keep the Drupal log-in form for all other accesses to protected pages.

Using forced authentication on the feed pages allows the smart feed readers to access, and it keeps the dumb ones out of the site and out of the watchdog log. Exactly what we need for this use case. Maybe that code is still in 6.x-1.x?

Being able to trigger authentication (like httpauth's ?authenticate parameter for feeds that show more items if authenticated) would be a nice plus, but it's above and beyond the basic request in the OP.

Darren Oh’s picture

I think there is a misunderstanding here. You can already enable HTTP authentication without forcing it. There was a bug in the update from Drupal 5 to Drupal 6 that kept settings from being properly transferred, so check your Secure Site settings page.

salvis’s picture

(Argh, I shouldn't have written that last paragraph in #4 — it distracted from my message. Please ignore it!)

yareckon’s picture

We do need the ability to specify which paths trigger http authentication, and which get a normal drupal 403. My use case is the same as salvis'. I have a site where no content is available to non logged in users. So login will be needed in all cases.

I need the normal drupal login form to appear in most cases (it has been customised and hooked by other modules for my site).

However, for RSS readers, I want the http basic authentication, as this is the only thing that they understand. I would love to be able to trigger this great module only on these URLS.

Darren Oh’s picture

I don't think either of you studied my patch. I was working on exactly what you are asking for, plus the ability to show the non-logged in version of a page if HTTP authentication is canceled. Haven't had time to work on it since.

macpharmer’s picture

Darren, your patch isn't completely functional, is it? I see the HTTP authentication pages page, but it's empty other than the Save configuration and Reset to defaults buttons. This is the last issue I have to solve to complete my D6 upgrade. My entire site is password protected, and I only need to have a RSS podcast feed to use http auth so that people can subscribe to it in iTunes. Can I manually set the path I want in the database somewhere, or in one of the module files? I'm no PHP or MySQL expert, but I'm comfortable updating code if given a patch. Thanks in advance.

Darren Oh’s picture

That's correct. If my patch were complete I would simply have committed it. I posted it here to help anyone who wants to work on the issue.

BenK’s picture

+1 for this feature.... I need to restrict pages only for certain paths. I used to be able to do this in the 5.x version of the module and it was my primary reason for using the module. I'd love to see this feature brought back.


TimmerCA’s picture

I agree; the ability to secure only certain paths is critical. There is even an option that says "Force authentication: On restricted pages", but I can't find anywhere to specify which pages should be restricted.

Also, there ought to be the inverse: "Force authentication: On all pages except for..." with the ability to list certain URLs that do not require authentication (/cron.php, for example).

Agileware’s picture


This is definitely needed.

Grayside’s picture

Try Tokenauth.

kenorb’s picture


NynjaWitay’s picture

I would love path (and maybe even token) support for blocking "restricted page" access. I am trying to build a site where anonymous users are blocked from viewing everything. Well I wanted to add the invite module to my site to allow invite only for a little bit. Problem is, the invite accept page requires authenticating as a drupal user to view.

As a temporary fix, I edited the securesite-page.tpl to have the signup form on it and my site configured to require administrator approval. This almost works. The problem is that the "thank you for registering" page gets redirected to the login page and so it is a little confusing to users signing up. I'm imagining getting lots of double submissions unless I can get a large enough warning message on there.

Is there maybe a hook I can write that will maybe create an exclusion list for paths? That would be enough for me. I just need invite/* and one or two other paths.

afreeman’s picture


bjcool’s picture


Need this feature...

jacoblane’s picture


kenorb’s picture

dkingofpa’s picture


I've been looking for the ability to set restricted access using paths. Right now, I'm using a custom module kludge. Should there be a separate issue created for this? Seems like we hijacked the OP's thread and there isn't any other issue that specifically requests the "restrict access by path" feature.

salvis’s picture

@dkingofpa: Secure Site's business is providing alternative authentication mechanisms. There are other modules that protect pages from anonymous users. I'm sure you'll find one that does what you want.

dkingofpa’s picture

@salvis: If Secure Site is only about providing alternative authentication mechanisms, then why does it provide an HTML form method for authentication? Drupal has that by default.

I've seen plenty of access control modules for securing nodes, content, forums, and even your ACL module. However, I haven't found one that will do it for paths.

dkingofpa’s picture

To do access control by path, you can use Path Access ( That will throw a drupal_access_denied() on paths you want to secure. Then you can use Secure Site or LoginToboggan ( to display a login form.

batje’s picture

Version: 6.x-2.x-dev » 7.x-2.x-dev
Issue summary: View changes
4.27 KB

We have a use case for this. We have authenticated users that use standard login and access denied and everything.

Then we have a few views exports that generate csv. This csv is accessed by other computers as inputs for feeds. Feeds supports HTTP Auth quite nicely.
So we only want to protect a few URLs in our website with HTTP AUTH. Attached patch does this(for Drupal 7).

kenorb’s picture

Assigned: Darren Oh » Unassigned
Status: Needs work » Needs review
gocaps’s picture

Thanks @batje for your patch; I can confirm it works as you intended. However, I'm not able to get this to work for allowing authenticated access to an RSS feed from an RSS reader. This happens using 7.x-2.0-beta3, with or without @batje's patch.

I've created an RSS feed using Views, and set Access: Permission | Access secure pages.

- If I load my feed from the browser I get prompted for username/password and it works.
- If I fetch the XML using wget, I can pull down the XML file: wget --http-user="me" --http-passwd="mypword" 'http://my/feed/rss.xml'

But when I try to use an RSS reader such as iTunes, RSS Owl, Vienna, I get prompted for username/password, but the reader cannot access the feed. The best error message I've got was from Vienna: "Error retrieving RSS feed: The request failed because it redirected too many times".

In watchdog I can see that a session gets opened for the user, but there's always a subsequent Access Denied entry for my feed path, and the user is Anonymous. Seems like the reader isn't using the user session it opened.

Has anyone been able to make this work? It worked properly in Drupal 6 using the HTTP Authentication module using the same version of the RSS readers I mentioned above.

Darren Oh’s picture

Assigned: Unassigned » Darren Oh
Status: Needs review » Needs work

University of British Columbia has sponsored work on this issue.

Darren Oh’s picture

gocaps, the bug you found was reported in #2484755: Redirect loop with "drupal_goto" function. I will post updates there.