Authentication using .htpasswd and .htaccess

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Authentication using .htpasswd and .htaccess

Post by JellyFish »

I placed the two files in a specified directory to keep only authenticated users from entering. Everything works except the the password doesn't need to be typed in fully. I noticed that instaid of being something like myauthpassword, I could just type myauthpassw and it would authenticate the user.

Why is this happening? I don't believe this to be secure.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Why not use a script?
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I have for quite some time. But I'm affriad of it being less secure as I found a hole in it. All pages have piece of code that checks for the correct session. But files such as a small php functions holder doesn't have the piece of code. So I'd have to place the code in the right places.

But it would seem like bad coding to have such a system.

I only employed the .htaccess method as of yesterday. So I'm still comparing this to my previous.

Why does HTTP authentication behave in the manner; I explained in my first post?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Using a script is often far more secure, provided its written well.

From what I remember the .htpassword stuff uses fairly old, far less secure encryption.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I see.

I'll abandon that method then.

Thank you for you posts. :D
Post Reply