[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 427
  • Last Modified:

How to validate a plaintext username/password against an existing .htpasswd file?

Hello experts,

I have an unusual question about an .htpasswd file. I've recently rebuilt a website on a LAMP box; the old site has a members area protected with .htaccess/.htpasswd. The new site uses a different method of access control. When the new site is launched, I want to make a special login area for the members of the old site where they can enter their username/password and receive a coupon code for a free month of access if they cancel their old membership and sign up again under the new system.

My problem is that I'm not sure how to do this. I thought it would be simple to take the username/password entered in the special login area and use the htpasswd program on the server to validate the combination. For example, let's say the person claiming to be an existing member gives this username/password combo:

mjcrls99
abc123

and let's say this line exists in the .htpasswd file:

mjcrls99:Um9Ykdtrljx1s

How can I verify that "Um9Ykdtrljx1s" does, or does not, represent "abc123"?

Does the htpasswd program use a one-way hash to produce its encrypted password? If so, there must be a hash key on the system somewhere that I could use on the user-supplied password to produce an encrypted string that could be compared to the one for that user in the .htpasswd file.

If I can't use the htpasswd program on apache for this, what else can I do? This must have a simple solution somehow.

If you can help, I'd really appreciate it!

Thank you,
Utzi
0
utzi
Asked:
utzi
  • 2
  • 2
1 Solution
 
Todd MummertCommented:

assuming this is unix

use crypt

man 3 crypt

the first two characters of the .htpasswd password are the salt for the 2nd argument of crypt.

So pass the plaintext password and the salt to crypt() and check against htpasswd
0
 
utziAuthor Commented:
Thanks for your reply! I'll try that and post what I find... might be an hour before I can get to it.
0
 
Todd MummertCommented:

No problem.  I should have mentioned that many languages (perl, php)  have a simliarly named crypt function that takes the same type of arguments.
0
 
utziAuthor Commented:
Excellent... I just used PHP's crypt() to do this and it works as desired.  I didn't even need to split off the first two chars for the salt. Thanks for the info!
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now