0

i have a server running apache2 in a debian lenny.

something strange happen with the folders protected by .htaccess.

basically, if you put a wrong password but formed by the_correct_password + _more_chars it let you enter. if you put the incorrect password in other way, of course it tells forbidden.

so i ask, is this behavior correct? if you put a correct password first + any other chars let you enter? how can i make apache check for a exactly correct password and not a correct password in the beginning of the entered password.

i hope i have explained the problem in the more clear way :)

Improve this question

1 Answer 1

Reset to default
2

Are you storing the passwords in the classic "crypt" DES format (14 characters long, a-z, A-Z, 0-9, "." and/or "/" characters, like: "papAq5PwY/QQM", with no $ signs in the encrypted password)?

If you are, that would explain it. That format is limited to 8 characters, so anything past 8 characters gets ignored. If the correct password is 8 (or more) characters, adding more characters at the end won't make a difference.

To fix it, use MD5 or SHA to store the passwords instead. If you're using the "htpasswd" command, add "-m" or "-s" to your options when you set the password.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.