How to validate a plaintext username/password against an existing .htpasswd file?
Posted on 2009-05-16
I have an unusual question about an .htpasswd file. I've recently rebuilt a website on a LAMP box; the old site has a members area protected with .htaccess/.htpasswd. The new site uses a different method of access control. When the new site is launched, I want to make a special login area for the members of the old site where they can enter their username/password and receive a coupon code for a free month of access if they cancel their old membership and sign up again under the new system.
My problem is that I'm not sure how to do this. I thought it would be simple to take the username/password entered in the special login area and use the htpasswd program on the server to validate the combination. For example, let's say the person claiming to be an existing member gives this username/password combo:
and let's say this line exists in the .htpasswd file:
How can I verify that "Um9Ykdtrljx1s" does, or does not, represent "abc123"?
Does the htpasswd program use a one-way hash to produce its encrypted password? If so, there must be a hash key on the system somewhere that I could use on the user-supplied password to produce an encrypted string that could be compared to the one for that user in the .htpasswd file.
If I can't use the htpasswd program on apache for this, what else can I do? This must have a simple solution somehow.
If you can help, I'd really appreciate it!