Page 1 of 1
Authentication using .htpasswd and .htaccess
Posted: Sat Jun 09, 2007 5:57 pm
by JellyFish
I placed the two files in a specified directory to keep only authenticated users from entering. Everything works except the the password doesn't need to be typed in fully. I noticed that instaid of being something like myauthpassword, I could just type myauthpassw and it would authenticate the user.
Why is this happening? I don't believe this to be secure.
Posted: Sat Jun 09, 2007 6:04 pm
by feyd
Why not use a script?
Posted: Sat Jun 09, 2007 6:16 pm
by JellyFish
I have for quite some time. But I'm affriad of it being less secure as I found a hole in it. All pages have piece of code that checks for the correct session. But files such as a small php functions holder doesn't have the piece of code. So I'd have to place the code in the right places.
But it would seem like bad coding to have such a system.
I only employed the .htaccess method as of yesterday. So I'm still comparing this to my previous.
Why does HTTP authentication behave in the manner; I explained in my first post?
Posted: Sat Jun 09, 2007 8:40 pm
by feyd
Using a script is often far more secure, provided its written well.
From what I remember the .htpassword stuff uses fairly old, far less secure encryption.
Posted: Sat Jun 09, 2007 8:59 pm
by JellyFish
I see.
I'll abandon that method then.
Thank you for you posts.
