Content that should be protected is served without authentication intermittently

Our website hosting is with a shared hosting provider. The only configuration we can make is through .htaccess files, we can’t touch the apache configuration files that are sourced when apache first starts.

The website root directory is public_html/. We have some content that should only be accessible to members, and this content is all kept under public_html/members_only/ files and subdirectories. Members have a username/password to authenticate when they want to get to the members-only portion of the site. The public_html/members_only/.htaccess file is fairly simple as follows:

AuthUserFile /path/to/.htpasswd AuthType Basic AuthName "Password Protected" Options -Indexes AuthGroupFile /dev/null <RequireAll>     Require valid-user     Require method GET POST HEAD </RequireAll> 

When a particular file public_html/members_only/auto/xyz.pdf is requested in the browser the expected 401 status is returned, the browser prompts the user for their credentials and, if correctly entered, the request is sent again and the file is served. This is as expected. The problem is that when any other user who has not authenticated subsequently requests this same file, it’s served to them without authentication, at least for a while. Then, after some interval, the next request is only satisfied if the user is authenticated.

Just to be sure I’m not experiencing some kind of browser caching confusion I have verified this behavior using curl -D headers https://<my website>/members_only/auto/xyz.pdf and examined the headers file.

I noticed another question that sounds very similar to my problem, but there were no answers. I am out of ideas at this point. I’ve tried tech support for the hosting provider (Endurance International Group), they are worse than useless.