----- Original Message ----- From: "Wade Smart" [EMAIL PROTECTED] wrote:
> > The new question! > > I am running WAMP 2.0 (the latest version) as a development environment on > windows XP and I am > very > happy with it but now there is one problem. > > How do I get Basic Auth to work on WAMP just the same way Basic Auth runs on > my Linux based > servers? > > All seems to be ok in XP but the encripted strings that are used in .htaccess > or passwd files do > not > work with the same passwords that are used in the Linux environment. > > I am quite happy to use a different encryption algorithm in the development > environment and then > to > swap algorithms when a site goes online but I don't know what algorithm to > use on a windows based > server (not IIS - still Apache). > > Another possibility may be to get Apache to store passwords in plain text. > This would be fine in a > development environment. Is this possible? And if so How do I confure it so? > > Thanks. 20081111 0859 GMT-5 http://us3.php.net/features.http-auth Did you read this page at php? One of the things I really dislike is moving back and forth from Windows to Linux for the exact problem you are facing now. The security that is available on Linux naturally is missing in Windows. I read an article in Linux Magazine that (and I cant remember the exact details here) said to use mysql and encrypt your passwords there. You have a username and password file - the username is plain text the passwords are encrypted. Wade -- Registered Linux User: #480675 Linux since June 2005 ------------------------------------ Hello Wade, I did read that page but it was mostly about getting PHP to send a 401. I won't doing this. I will let Apache do it and I will just retrieve the already validated user name with $_SERVER['PHP_AUTH_USER'] or $_SERVER['REMOTE_USER'] Some may laugh! The one thing that I did not try in the WAMP environment was a plain text password in the passwd file. Well it turns out the WAMP does not encrypt the passwords so that worked immediately. I normally do as you mentioned with MySQL. That is store the username and a md5() of the password in a MySQL database. I learnt not to use the MySQL password function as the encryption changed in previous versions. However md5() is well specified and will not change. The other thing I do as well is to write some javascript into the login page to md5() the password before it is sent. I then check for a straight match or a md5() match to the stored md5() of the password. The md5() match is for those who don't have javascript enabled. For those who do have it enabled then their password is sent in an encrypted form. The let down of basic auth is that it sends the password in plain text but in most cases this is the outcome anyway. Even though this method will work on Windows/Apache it will not work on Windows/IIS but I am not bothered about that, all my servers are Linux/Apache. Thanks, Now I better get back to the real task.
