# httpd-users mailing list archives

##### Site index · List index
Message view
Top
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] htpasswd with Apache 2.0 - extra characters at the end of the password
Date Wed, 10 Sep 2003 17:34:10 GMT
Hello,

Check out mod_auth docs.  http://httpd.apache.org/docs-2.0/mod/mod_auth.html
and the core docs for AuthType and Require directives.

Use the htpasswd program to generate usernames and password in an .htpasswd
file.  Type htpasswd with no args to see usage.  Make sure your PATH has the
"C:\Program Files\Apache Group\Apache2\bin" folder.

Create a new .htpasswd file:

htpasswd -c \path\to\.htpasswd user1

Add a new user to existing file:

htpasswd \path\to\.htpasswd user2

.htpasswd file looks like this:
user1:$apr1$4r0.....$UhfqMbRX/Hm/zIapnQnes. user2:$apr1$ar0.....$KVQb4b../XWSGjV2nPSOJ/

Put it in a safe place outside your web or DocumentRoot folders.

Choose if you're going to put your Auth stuff in a Directory block, or use
AllowOveride AuthConfig, and put in an .htaccess into the folder to protect.

Directory or .htaccess Directives used (very simple):

AuthUserFile "\path\to\.htpasswd"
AuthName "protected server"
AuthType Basic
Require valid-user

----- Original Message -----
From: "David" <amdawong@starhub.net.sg>
To: <users@httpd.apache.org>
Sent: Tuesday, September 09, 2003 1:01 PM
Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at

Hello Brian!!

I would like to implement a basic authentication system usingmy apache.
You mentioned that you managed to get the security to

"work via .htaccess, as well as just using <Directory> access via the
httpd.conf file".

Can elaborate a little more?? I would like to do the same. I am using
Windows XP.

Regards,
David

-----Original Message-----
From: Brian Gulizia [mailto:brian.gulizia@complexlit.com]
Sent: Thursday, September 11, 2003 12:07 AM
To: users@httpd.apache.org
Subject: [users@httpd] htpasswd with Apache 2.0 - extra characters at

Hello,
I have a server that is running Redhat 9.0, and the Apache web server
that came with it. I am currently working on the security for a website
using basic authentication. I have been able to successfully get the
security to work via .htaccess, as well as just using <Directory> access
via the httpd.conf file.
However in testing I've found that, while you will only gain access to
the protected directory by entering the password, you can also put a
bunch of extra characters after the password and it will still allow
access.
I've searched the web, as well as the documentation, and couldn't find
anything mentioning this caveat. Is this normal, or is there something
that perhaps I've missed in my setup that could be causing this?
Thanks,
Brian Gulizia

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
"   from the digest: users-digest-unsubscribe@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.