> Oh. I was just about to reply to say yes it does let the user in with > the hashed password presented as the password.
yeah.. the reason is apparently that win32 is documented to allow clear-text passwords for authentication. this was news to me, but I'm new to win32 httpd land. so really what I thought was a bug is desirable. well, not desirable really, but required for legacy reasons. and since there is no real way to tell that crypt() generated text is crypt() generated, adding fcrypt() to APR really doesn't solve the underlying problem - supporting both on win32 would mean that two passwords would be valid for every one entry in .htpasswd. --Geoff --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
