[SOLVED] PHP: how to validate a password from htpasswd
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello, I'm creating a script/page using PHP which will give the possibility to a user to change his password from htpasswd file, but I'm not sure how to ensure that the current password matches the password from htpasswd.
Does anybody know how to validate 'current password' against the password saved in htpasswd?
To verify password, php should be able to open and read the file where http passwords are stored
Then you get the line that starts with "Username:<crypted password>" and compare the crypted password with the password you want to check crypted with same algorythm
Passwords are ordinarily stored in databases, not in files.
The most common strategy is to store a "salted hash." The password, plus a random number (the "salt"), is hashed using SHA1 (not MD5 ...), and both the resulting hash and the random number are stored. (The random number is not concealed.)
Passwords are ordinarily stored in databases, not in files.
The most common strategy is to store a "salted hash." The password, plus a random number (the "salt"), is hashed using SHA1 (not MD5 ...), and both the resulting hash and the random number are stored. (The random number is not concealed.)
Yes, the idea is good for new passwords, but what about old passwords which used a 'salt' which hasn't been saved? How do I ensure that the current password is correct or how do I validate a old password to ensure is the right user?
Yes, the idea is good for new passwords, but what about old passwords which used a 'salt' which hasn't been saved?
If you don't have the salt then you might as well throw the hash away. However you talked about htpasswd in the first post, according to Apache's htpasswd format documentation, the salt should be in that file.
Quote:
Originally Posted by sundialsvcs
Passwords are ordinarily stored in databases, not in files.
The most common strategy is to store a "salted hash." The password, plus a random number (the "salt"), is hashed using SHA1 (not MD5 ...), and both the resulting hash and the random number are stored. (The random number is not concealed.)
It reads the username and password from the command line and looks in passwordfile for the user. Change the first arg in the call to get_htpasswd to your actual password file. This supports all of htpasswd's hash methods.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.