Hello I've got an .htaccess file with the following lines doing mysql authorisation AuthMySQLAuthoritative Off AuthName "Members Only" AuthType Basic AuthGroupFile /dev/null AuthMySQLHost XXXXXXXXXXXXXX AuthMySQLDB XXXXXXXXXXXXXX AuthMySQLUser XXXXXXXXXXXXXX AuthMySQLPassword XXXXXXXXXXXXXX AuthMySQLUserTable XXXXXXXXXXXXXX AuthMySQLNameField username AuthMySQLPasswordField password AuthMySQLPwEncryption none AuthMySQLUserCondition "status=1 AND siteid=3" require valid-user all works good but when a user that doesnt exist is entered in the dialog box it goes to: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. when the user exist but just the password is wrong 3 times in a row it just goes to: Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. which it is supposed to i guess? :> anyway, i would make it go to a error/page like this even when just the user is wrong, internal server error page is quite frightening for most of the users and they tend to refund, which is bad thank you guys!
from a site admin security point of view this above behavior appears totally normal and beneficial to me a user never is intended to make mistakes hackers guess and do mistakes by having 500 errors you have a daily account of completely wrong login attempts in your access_log stats which may be an indicator for you about the volume of attempted hacker activities a wrong password 3x ... in normal server configurations - fail2ban would ban an IP by default latest after 3 failed logins (I prefer after ONE failed login! ) keep in mind that normal users with modern browsers on their OWN computer woudl most likely have their login / password stored in the browser and thus never make errors at all hence errors even single - may show NON-normal login attempts - like hackers, login by bots,, etc if you really want to display a regular error page for a 500 error, then you may change your server default configuration to achieve such depending on YOUR precise OS / dist in my opensuse apache config folders I have an errors.conf file which allows what you seem to want - to re-configure NEW non-default errors pages/error messages for 500 or other errors as well