[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 731
  • Last Modified:

Password created using htpasswd but cannot authenticate using php

Hi,

Password was created using:
htpasswd -nb 111-111-111 testtest
got response
111-111-111:edgwvdl4yy1DM
and place response into passwordlst file in the same folder as auth.php, but I cannot authenticate using username 111-111-111 and password testtest and below auth.php

Any help would be greatly appreciated

Best,
RockBob

<?
function check_pass($login, $password, $mode) {
global $password_file;
if(!$fh = fopen($password_file, "r")) { die("<P>Could Not Open Password File"); }
$match = 0;
while(!feof($fh)) {
$line = fgets($fh, 4096);
$from_file = explode(":", $line);
if($from_file[0] == $login) {
if($mode == "crypt"){
$salt = substr($from_file[1],0,2);
$user_pass = crypt($password,$salt);
} elseif ($mode == "md5") {
$user_pass = md5($password);
}
if(rtrim($from_file[1]) == $user_pass) {
$match = 1;
break;
}
     }
   }
   if($match) {
     return 1;
   } else {
     return 0;
   }
   fclose($fh);
  }
  function authenticate() {
    Header("WWW-Authenticate: Basic realm=\"RESTRICTED ACCESS\"");
    Header("HTTP/1.0 401 Unauthorized");
    echo ("<h1>INVALID USERNAME OR PASSWORD. ACCESS DENIED<h1>");
    exit;
  }
  /*** MAIN ***/
  //select md5 or crypt for $mode. md5 is for md5 encoded passwords, crypt is for passwords encoded using apache's httpasswd
  $mode = "crypt";
  $password_file = "passwordlst";
  if (!isset($PHP_AUTH_USER)) {
    authenticate();
  } else {
    if(check_pass($PHP_AUTH_USER, $PHP_AUTH_PW, $mode)) {
      ?>
      <h1>ACCEPTED</h1>
      <?
    } else {
    authenticate();
    }
  }
  ?>


 
0
RockBob
Asked:
RockBob
  • 3
  • 2
1 Solution
 
EnclavetCommented:
Hi you need to change your $PHP_AUTH_USER, $PHP_AUTH_PW to $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']

This works:

 function authenticate() {
    Header("WWW-Authenticate: Basic realm=\"RESTRICTED ACCESS\"");
    Header("HTTP/1.0 401 Unauthorized");
    echo ("<h1>INVALID USERNAME OR PASSWORD. ACCESS DENIED<h1>");
    exit;
  }

  /*** MAIN ***/
  //select md5 or crypt for $mode. md5 is for md5 encoded passwords, crypt is for passwords encoded using apache's httpasswd
  $mode = "crypt";
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    authenticate();
  } else {
    if(check_pass($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'], $mode)) {
      ?>
      <h1>ACCEPTED</h1>
      <?
    } else {
    authenticate();
    }
  }
0
 
RockBobAuthor Commented:
Thanks Enclavet, just test that but still not working, seems something related to using - i.e.
passwords generated for usernames with - arent correct
so this doesn't works:
htpasswd -nb passwordlst 111-111-111 testest
but this works
htpasswd -nb 111111111 testtest

- doesn't seems to bother apache during authentication but php just doesn't want to authenticate it

Any insight, how to approach this, I have hundrends of passwords created with - in usernames

REgards,
RockBob
0
 
EnclavetCommented:
Have you tried setting the passwordlst file to .htpasswd?
0
 
RockBobAuthor Commented:
Same thing, something with - and how php is processing them
Not sure how apache php module is doing authentication i.e. processing usernames with – correctly and above php code is failing.
There should be no difference
0
 
RockBobAuthor Commented:
found the issue :) I had this peace of code in auth.php
if(!ctype_alnum($user)){
// invalid user name
return FALSE;

anyway thanks Enclavet for $_SERVER['PHP_AUTH_USER'] that was really helpfull, I'm assigning points to you
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now