Re: [PHP] basic authentication usage
I think that the problem here is, that the unset of the $_SERVER[PHP_AUTH_USER] variable is not affecting the client's browser. If you've got a directory protection, the browser needs a restart to show the login dialog before. I may be wrong because I'm using forms normally but the Authentification cannot be reset so easily... Am 10.06.2013, 22:28 Uhr, schrieb Jim Giner jim.gi...@albanyhandball.com: Trying to learn how this works for a simple security need I have. Nothing serious, hence this experiment. My code: if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm=My Realm'); header('HTTP/1.0 401 Unauthorized'); echo 'h3You have chosen not to signinbrbr'; echo Click a href='/index.php'here/a to go back to the menu; unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); unset($_ENV['PHP_AUTH_USER']); unset($_ENV['PHP_AUTH_PW']); exit; } else { echo checking credsbr; if ($_SERVER['PHP_AUTH_USER'] validuser) { unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); unset($_ENV['PHP_AUTH_USER']); unset($_ENV['PHP_AUTH_PW']); echo 'h3You have entered invalid information.brbr'; echo Click a href='/index.php'here/a to go back to the menu; exit(); } } (if we get here we have signed on) (continue on with script) *** My problem is trying to remove the invalid credentials (unsets) so that when the user attempts to access the page again, the signin dialog gets displayed. On my second attempt I always get the invalid path and never get a chance to re-enter the credentials. What am I missing (besides it's a lousy security solution)? Can one NOT unset a SERVER variable? How does one get around that in this case if so? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic authentication usage
On 6/10/2013 4:33 PM, Julian Wanke wrote: I think that the problem here is, that the unset of the $_SERVER[PHP_AUTH_USER] variable is not affecting the client's browser. If you've got a directory protection, the browser needs a restart to show the login dialog before. I may be wrong because I'm using forms normally but the Authentification cannot be reset so easily... No - I think you misunderstood. I am NOT using directory protection, hence my attempt at using this method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic authentication usage
I just mentioned that as an example. For this authentification the server sends a Authorization header. The client's browser requests the credentials from the user and save them in the RAM. Now the client's browser sends the credentials to the server. And what's important: The browser sends the credentials in each further request from now. So the browser stores the username and password for the session in the RAM and they can't be changed or deleted from the server's side. In fact the authorization works similar to cookies with the difference, that cookies can be set server-side and the HTTP authorization can't. That's the reason why you can't unset the invalid credentials, if entered one time the browser will send them in each request, it doesn't matter what the server does. I hope you understood what I mean... Am 10.06.2013, 23:14 Uhr, schrieb Jim Giner jim.gi...@albanyhandball.com: On 6/10/2013 4:33 PM, Julian Wanke wrote: I think that the problem here is, that the unset of the $_SERVER[PHP_AUTH_USER] variable is not affecting the client's browser. If you've got a directory protection, the browser needs a restart to show the login dialog before. I may be wrong because I'm using forms normally but the Authentification cannot be reset so easily... No - I think you misunderstood. I am NOT using directory protection, hence my attempt at using this method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic authentication and redirection
depends on how that site does its authentication... if it's a form, it may need an extra setting to allow you to go to a specific page on that site after authentication. On Wed, Mar 3, 2010 at 8:25 PM, Bill Rausch brau...@owt.com wrote: Hi there, In certain circumstances controlled by my users, I'd like to redirect my users to another site, a third party whom we have contracted with. The second site uses basic authentication with a simple username and password. Can I write my PHP code so my users do not have to login (or even know the username/password) on the remote site? This isn't intended to stop serious hackers, just enough security to stop casual passers-by. Thanks, Bill -- Bill Rausch We first make our habits and then our habits make us. --John Dryden -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic authentication and redirection
[snip] In certain circumstances controlled by my users, I'd like to redirect my users to another site, a third party whom we have contracted with. The second site uses basic authentication with a simple username and password. Can I write my PHP code so my users do not have to login (or even know the username/password) on the remote site? This isn't intended to stop serious hackers, just enough security to stop casual passers-by. [/snip] Have a look at cURL (http://www.php.net/curl) as it will allow you to perform remote POST's which may be enough to get you through. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic authentication and redirection
Jay Blanchard wrote: [snip] In certain circumstances controlled by my users, I'd like to redirect my users to another site, a third party whom we have contracted with. The second site uses basic authentication with a simple username and password. Can I write my PHP code so my users do not have to login (or even know the username/password) on the remote site? This isn't intended to stop serious hackers, just enough security to stop casual passers-by. [/snip] Have a look at cURL (http://www.php.net/curl) as it will allow you to perform remote POST's which may be enough to get you through. Or you can use JavaScript on an intermediate page to post directly to the remote site's login form. If JavaScript is disabled, just have a button Please continue to XXX which then performs the post tot he remote site. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Basic Authentication
-Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] Sent: Wednesday, January 14, 2009 5:18 PM To: Shawn McKenzie; php-general@lists.php.net Subject: Re: [PHP] Basic Authentication At 2:19 PM -0600 1/14/09, Shawn McKenzie wrote: As others have said, use crypt(). http://php.net/manual/function.crypt.php has Example #2 Using crypt() with htpasswd. Thanks, but that doesn't really solve my problem. You see, I know the password and I know the encoded result -- what I don't know is what algorithm was used to generate the encoding. Here are all the algorithms I know of (this includes the above link you provided). http://webbytedd.com//md5/index.php However, none of them match what have. tedd, It would appear your Standard DES and MD5 labels are actually both MD5. Also--there is more than just Standard DES. Once DES was determined to be relatively IN-secure, more algorithms like Triple DES, G-DES, DES-X, LOKI89, and ICE were created. You might be looking at a Triple DES hash. HTH, // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
At 11:43 PM + 1/14/09, Ashley Sheridan wrote: Surely that's a good thing then? Security through obscurity and all that... Ash Ash: Certainly it's a good thing -- until the client asks for another password. At this point, I have four logon and password combinations to use. I can tell the client if they use one of those, then they can login. However if they want their own, then I have no idea of what the algorithm was/is and thus no way of generating a new combination for them. You see, the problem here is not that I can't set up an authorization scheme -- I can do that easily enough. The problem is that I don't know how the one currently in place on my client's server works in generating passwords. If I knew that, then I could generate the password myself. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
On Jan 15, 2009, at 12:32 PM, tedd wrote: At 11:43 PM + 1/14/09, Ashley Sheridan wrote: Surely that's a good thing then? Security through obscurity and all that... Ash Ash: Certainly it's a good thing -- until the client asks for another password. At this point, I have four logon and password combinations to use. I can tell the client if they use one of those, then they can login. However if they want their own, then I have no idea of what the algorithm was/is and thus no way of generating a new combination for them. You see, the problem here is not that I can't set up an authorization scheme -- I can do that easily enough. The problem is that I don't know how the one currently in place on my client's server works in generating passwords. If I knew that, then I could generate the password myself. Hey tedd, One thing I just thought of that I'm sure you checked but just in case... With the current system do they have any way of adding new users to it? If so... there would be info in a file that had the algorithm info you need... Other then that nothing to add except rewrite the whole thing with properly commented code so future people can view/edit the code :) -- Jason Pruim japr...@raoset.com 616.399.2355
Re: [PHP] Basic Authentication
At 12:42 AM +0100 1/15/09, Edmund Hertle wrote: I think I do not really understand your problem... searching for standard crypt algorithms? google, wikipedia and such should help. I solved the problem myself, which basically meant there was no way to determine what the algorithm was except for a no-salt MD5. For example: Here's the password: froggy123 Here's the encoded string: a2667f2ace21c54ed03a35cf946e347a If you checked the the two, you could discover that the algorithm was MD5 without a salt. If the encoding was something else, then a different algorithm was used and most likely you could not tell what algorithm was used unless you knew the salt value. For example, if the salt was hello and the encoding was heWf00Lr.jHb6 , then the algorithm could be Crypt, Standard DES or MD5. Understand now? In any event, thanks for trying. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com
Re: [PHP] Basic Authentication
At 7:56 PM -0500 1/14/09, Andrew Ballard wrote: I didn't get that from your original post at all. You asked how to create an encoded password string that would work in a .htaccess file using basic authentication. Yes, but that was before I knew that generating a password from the command line in Unix did not mean that a specific algorithm was going to be used. It appears that any of an assortment of them might be employed from the command line -- if that makes sense. In any event, I see that the problem is not solvable. Thanks for your help. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Basic Authentication
At 9:11 AM -0600 1/15/09, Boyd, Todd M. wrote: tedd, It would appear your Standard DES and MD5 labels are actually both MD5. Also--there is more than just Standard DES. Once DES was determined to be relatively IN-secure, more algorithms like Triple DES, G-DES, DES-X, LOKI89, and ICE were created. You might be looking at a Triple DES hash. HTH, // Todd Todd: Yes, I saw that as well. The code is directly from the crypt link, namely: http://php.net/manual/function.crypt.php Example #3. However, I may have made a mistake -- I'll look into it. Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
At 12:46 PM -0500 1/15/09, Jason Pruim wrote: Hey tedd, One thing I just thought of that I'm sure you checked but just in case... With the current system do they have any way of adding new users to it? If so... there would be info in a file that had the algorithm info you need... Other then that nothing to add except rewrite the whole thing with properly commented code so future people can view/edit the code :) Jason: It would have been nice if the previous programmer had documented ANYTHING. But unfortunately, for the last year, I've had to discover everything myself. On the good side, it's been a learning experience. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
2009/1/14 tedd t...@sperling.com: Let's say that I don't want to use the htpasswd command from the UNIX shell to generate an encoded password -- how else can I create an encoded password string that would work in a .htaccess file using basic authentication? AFAIK it's an MD5 hash, nothing more complicated than that. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
On Wed, Jan 14, 2009 at 12:36 PM, Stuart stut...@gmail.com wrote: 2009/1/14 tedd t...@sperling.com: Let's say that I don't want to use the htpasswd command from the UNIX shell to generate an encoded password -- how else can I create an encoded password string that would work in a .htaccess file using basic authentication? AFAIK it's an MD5 hash, nothing more complicated than that. -Stuart I think the last time I used basic authentication I just generated passwords with crypt(). At that time, the hashes certainly weren't MD5 (I think they were only 13 characters), but based on the manual that seems to be variable with the system anyway. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
At 12:51 PM -0500 1/14/09, Andrew Ballard wrote: On Wed, Jan 14, 2009 at 12:36 PM, Stuart stut...@gmail.com wrote: 2009/1/14 tedd t...@sperling.com: Let's say that I don't want to use the htpasswd command from the UNIX shell to generate an encoded password -- how else can I create an encoded password string that would work in a .htaccess file using basic authentication? AFAIK it's an MD5 hash, nothing more complicated than that. -Stuart I think the last time I used basic authentication I just generated passwords with crypt(). At that time, the hashes certainly weren't MD5 (I think they were only 13 characters), but based on the manual that seems to be variable with the system anyway. Andrew Andrew: Yeah, that's what I found as well -- it wasn't a MD5. So basically my question is What is it? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
What it is depends on what encryption routines you have installed. The algorithm to authenticate detects the algorithm based on the hash. 32-char : MD5 $1$ : SHA-1 $2$ : SHA-2 etc. (Apologies if I got my tokens/algorithms wrong) If you just toss MD5s in there, it should work, I think, if you have MD5 installed and available. It picks the best available when it adds a new entry. So an old file might look like: #your box came with MD5 installed joe:MD5 alice:MD5 #you installed SHA-2 bob:SHA-2 lee:SHA-2 At least, that's been my experience so far... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
What it is depends on what encryption routines you have installed. The algorithm to authenticate detects the algorithm based on the hash. 32-char : MD5 $1$ : SHA-1 $2$ : SHA-2 etc. (Apologies if I got my tokens/algorithms wrong) If you just toss MD5s in there, it should work, I think, if you have MD5 installed and available. It picks the best available when it adds a new entry. So an old file might look like: #your box came with MD5 installed joe:MD5 alice:MD5 #you installed SHA-2 bob:SHA-2 lee:SHA-2 At least, that's been my experience so far... The problem I have is that the sever I'm working on is not mine, thus no way for me to get shell access. I assumed that the server used a different encoding than MD5 because the string it generates is very short, such as: jYYjNLrifgUxk Clearly this is not MD5 encoding and thus the reason for my original post. I do have before and after examples I could use to identify what algorithm was used. I just need to know what algorithms could have been used and (if it's not too much to ask) working example of each. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
There are a number of online tools for creating the proper htaccess and htpasswd files for basic auth. Here's a couple (forget which one I used last time I needed it, both have 'visited' links in my browser): http://www.wmtips.com/tools/htpasswd-generator/ http://www.htaccesstools.com/htaccess-authentication/ They should be secure enough since they don't really know what site you're going to use them on, but apply whatever paranoia you're comfortable with to using such tools. -TG - Original Message - From: tedd t...@sperling.com To: PHP-General php-general@lists.php.net Date: Wed, 14 Jan 2009 12:31:15 -0500 Subject: [PHP] Basic Authentication Hi gang: Let's say that I don't want to use the htpasswd command from the UNIX shell to generate an encoded password -- how else can I create an encoded password string that would work in a .htaccess file using basic authentication? Cheers, tedd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
On Wed, Jan 14, 2009 at 2:34 PM, tedd tedd.sperl...@gmail.com wrote: What it is depends on what encryption routines you have installed. The algorithm to authenticate detects the algorithm based on the hash. 32-char : MD5 $1$ : SHA-1 $2$ : SHA-2 etc. (Apologies if I got my tokens/algorithms wrong) If you just toss MD5s in there, it should work, I think, if you have MD5 installed and available. It picks the best available when it adds a new entry. So an old file might look like: #your box came with MD5 installed joe:MD5 alice:MD5 #you installed SHA-2 bob:SHA-2 lee:SHA-2 At least, that's been my experience so far... The problem I have is that the sever I'm working on is not mine, thus no way for me to get shell access. I assumed that the server used a different encoding than MD5 because the string it generates is very short, such as: jYYjNLrifgUxk Clearly this is not MD5 encoding and thus the reason for my original post. I do have before and after examples I could use to identify what algorithm was used. I just need to know what algorithms could have been used and (if it's not too much to ask) working example of each. Cheers, tedd So can you not just use PHP's crypt() function? It doesn't require shell access, and like I said - it worked fine for me the last time I used basic auth. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
2009/1/14 tedd tedd.sperl...@gmail.com What it is depends on what encryption routines you have installed. The algorithm to authenticate detects the algorithm based on the hash. 32-char : MD5 $1$ : SHA-1 $2$ : SHA-2 etc. (Apologies if I got my tokens/algorithms wrong) If you just toss MD5s in there, it should work, I think, if you have MD5 installed and available. It picks the best available when it adds a new entry. So an old file might look like: #your box came with MD5 installed joe:MD5 alice:MD5 #you installed SHA-2 bob:SHA-2 lee:SHA-2 At least, that's been my experience so far... The problem I have is that the sever I'm working on is not mine, thus no way for me to get shell access. I assumed that the server used a different encoding than MD5 because the string it generates is very short, such as: jYYjNLrifgUxk Clearly this is not MD5 encoding and thus the reason for my original post. I do have before and after examples I could use to identify what algorithm was used. I just need to know what algorithms could have been used and (if it's not too much to ask) working example of each. Cheers, Did you read: http://de.php.net/manual/en/function.crypt.php ?I think if you just use crypt() it will work just fine. Those short Hashes would then be DES (i think this is standard on UNIX/Linux Server) -eddy
Re: [PHP] Basic Authentication
tedd wrote: What it is depends on what encryption routines you have installed. The algorithm to authenticate detects the algorithm based on the hash. 32-char : MD5 $1$ : SHA-1 $2$ : SHA-2 etc. (Apologies if I got my tokens/algorithms wrong) If you just toss MD5s in there, it should work, I think, if you have MD5 installed and available. It picks the best available when it adds a new entry. So an old file might look like: #your box came with MD5 installed joe:MD5 alice:MD5 #you installed SHA-2 bob:SHA-2 lee:SHA-2 At least, that's been my experience so far... The problem I have is that the sever I'm working on is not mine, thus no way for me to get shell access. I assumed that the server used a different encoding than MD5 because the string it generates is very short, such as: jYYjNLrifgUxk Clearly this is not MD5 encoding and thus the reason for my original post. I do have before and after examples I could use to identify what algorithm was used. I just need to know what algorithms could have been used and (if it's not too much to ask) working example of each. Cheers, tedd As others have said, use crypt(). http://php.net/manual/function.crypt.php has Example #2 Using crypt() with htpasswd. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
At 2:19 PM -0600 1/14/09, Shawn McKenzie wrote: As others have said, use crypt(). http://php.net/manual/function.crypt.php has Example #2 Using crypt() with htpasswd. Thanks, but that doesn't really solve my problem. You see, I know the password and I know the encoded result -- what I don't know is what algorithm was used to generate the encoding. Here are all the algorithms I know of (this includes the above link you provided). http://webbytedd.com//md5/index.php However, none of them match what have. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
On Wed, 2009-01-14 at 18:17 -0500, tedd wrote: At 2:19 PM -0600 1/14/09, Shawn McKenzie wrote: As others have said, use crypt(). http://php.net/manual/function.crypt.php has Example #2 Using crypt() with htpasswd. Thanks, but that doesn't really solve my problem. You see, I know the password and I know the encoded result -- what I don't know is what algorithm was used to generate the encoding. Here are all the algorithms I know of (this includes the above link you provided). http://webbytedd.com//md5/index.php However, none of them match what have. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com Surely that's a good thing then? Security through obscurity and all that... Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
tedd wrote: At 2:19 PM -0600 1/14/09, Shawn McKenzie wrote: As others have said, use crypt(). http://php.net/manual/function.crypt.php has Example #2 Using crypt() with htpasswd. Thanks, but that doesn't really solve my problem. You see, I know the password and I know the encoded result -- what I don't know is what algorithm was used to generate the encoding. Here are all the algorithms I know of (this includes the above link you provided). http://webbytedd.com//md5/index.php However, none of them match what have. crypt with a salt? htpasswd --help: -d Force CRYPT encryption of the password (default). md5 = fixed 32 chars sha1 = fixed 40 chars no idea about the others but crypt does not have a fixed length. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
2009/1/15 tedd tedd.sperl...@gmail.com At 2:19 PM -0600 1/14/09, Shawn McKenzie wrote: As others have said, use crypt(). http://php.net/manual/function.crypt.php has Example #2 Using crypt() with htpasswd. Thanks, but that doesn't really solve my problem. You see, I know the password and I know the encoded result -- what I don't know is what algorithm was used to generate the encoding. Here are all the algorithms I know of (this includes the above link you provided). http://webbytedd.com//md5/index.php However, none of them match what have. Cheers, tedd I think I do not really understand your problem... searching for standard crypt algorithms? google, wikipedia and such should help. Just for clarification: you know that using md5, crypt and others does not create the same hash if you use them on the same passwort?
Re: [PHP] Basic Authentication
Could it be that you tested the correct algorithm but didn't use the correct salt or some other permutation to receive the same encoded result? -TG - Original Message - From: tedd tedd.sperl...@gmail.com To: Shawn McKenzie nos...@mckenzies.net, php-general@lists.php.net Date: Wed, 14 Jan 2009 18:17:35 -0500 Subject: Re: [PHP] Basic Authentication At 2:19 PM -0600 1/14/09, Shawn McKenzie wrote: As others have said, use crypt(). http://php.net/manual/function.crypt.php has Example #2 Using crypt() with htpasswd. Thanks, but that doesn't really solve my problem. You see, I know the password and I know the encoded result -- what I don't know is what algorithm was used to generate the encoding. Here are all the algorithms I know of (this includes the above link you provided). http://webbytedd.com//md5/index.php However, none of them match what have. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Authentication
On Wed, Jan 14, 2009 at 6:17 PM, tedd tedd.sperl...@gmail.com wrote: At 2:19 PM -0600 1/14/09, Shawn McKenzie wrote: As others have said, use crypt(). http://php.net/manual/function.crypt.php has Example #2 Using crypt() with htpasswd. Thanks, but that doesn't really solve my problem. You see, I know the password and I know the encoded result -- what I don't know is what algorithm was used to generate the encoding. I didn't get that from your original post at all. You asked how to create an encoded password string that would work in a .htaccess file using basic authentication. The crypt() function should do that. Have you tried creating a hash for a new password using crypt() and the function output into your .htaccess file? (Not comparing a known password to a known hash; just testing whether a hash that crypt() generates will work for your authentication.) Here are all the algorithms I know of (this includes the above link you provided). http://webbytedd.com//md5/index.php However, none of them match what have. Cheers, tedd This looks like a totally different question from your original post. Are you saying that you already have values in the .htaccess file that don't match what you expect when you run the known passwords through crypt()? What do you get when you try this? ?php if (crypt($password, $known_hash) == $known_hash) { echo 'Authenticated'; } else { echo 'Not Authenticated'; } ? It's been a while since I've used this, but I'm pretty sure it works regardless of the algorithm selected (internally) by the crypt() function. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php