OT: strange .htaccess problem

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OT: strange .htaccess problem

kimonostereo
Hi all,

I was wondering if any of you have ever experienced a problem  
with .htaccess like the one I am experiencing. To be upfront, I am  
running a standard install of Mac OSX 10.5.7 with MacPorts and apache2/
php5/mysql5/Lasso on a new Quad Core Xenon MacPro.

When I access a password protected page, it will accept the correct  
username and password. This is normal. What isn't normal is that I can  
also get to the page by using the correct username and password with  
anything else at the end of it!

for example:
password: helloworld
will allow access, but so will
password: helloworldthisismoretext
and anything else for that matter.

Not sure what the problem is but i've done everything I can think of  
to get it NOT to work that way.

I have another server running almost the same configuration and it  
doesn't have this issue at all.

Have any of you see this?

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OT: strange .htaccess problem

Bil Corry-3
Scott Yoshinaga wrote on 7/31/2009 1:37 PM:

> I was wondering if any of you have ever experienced a problem with
> .htaccess like the one I am experiencing. To be upfront, I am running a
> standard install of Mac OSX 10.5.7 with MacPorts and
> apache2/php5/mysql5/Lasso on a new Quad Core Xenon MacPro.
>
> When I access a password protected page, it will accept the correct
> username and password. This is normal. What isn't normal is that I can
> also get to the page by using the correct username and password with
> anything else at the end of it!
>
> for example:
> password: helloworld
> will allow access, but so will
> password: helloworldthisismoretext
> and anything else for that matter.
>
> Not sure what the problem is but i've done everything I can think of to
> get it NOT to work that way.
>
> I have another server running almost the same configuration and it
> doesn't have this issue at all.

Are you using Lasso to process the username/password?  IIRC, Lasso defaults to 'beginswith' for normal inlines and you have to specifically use -eq.  Also, for MySQL, unless the column storing the password is marked as binary, it will be case-insensitive.


- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OT: strange .htaccess problem

kimonostereo

On Jul 31, 2009, at 8:44 AM, Bil Corry wrote:

> Scott Yoshinaga wrote on 7/31/2009 1:37 PM:
>> I was wondering if any of you have ever experienced a problem with
>> .htaccess like the one I am experiencing. To be upfront, I am  
>> running a
>> standard install of Mac OSX 10.5.7 with MacPorts and
>> apache2/php5/mysql5/Lasso on a new Quad Core Xenon MacPro.
>>
>> When I access a password protected page, it will accept the correct
>> username and password. This is normal. What isn't normal is that I  
>> can
>> also get to the page by using the correct username and password with
>> anything else at the end of it!
>>
>> for example:
>> password: helloworld
>> will allow access, but so will
>> password: helloworldthisismoretext
>> and anything else for that matter.
>>
>> Not sure what the problem is but i've done everything I can think  
>> of to
>> get it NOT to work that way.
>>
>> I have another server running almost the same configuration and it
>> doesn't have this issue at all.
>
> Are you using Lasso to process the username/password?  IIRC, Lasso  
> defaults to 'beginswith' for normal inlines and you have to  
> specifically use -eq.  Also, for MySQL, unless the column storing  
> the password is marked as binary, it will be case-insensitive.
>
>
> - Bil
>



Hi Bil,
No i'm not. It's just a regular/standard .htaccess file pointing to  
a .htpasswd file. The .htpasswd hash seems to be ok but I can't figure  
out why it accepts input other than the real password.

thanks
\\scott\\


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OT: strange .htaccess problem

Bil Corry-3
Scott Yoshinaga wrote on 7/31/2009 1:54 PM:
> It's just a regular/standard .htaccess file pointing to a
> .htpasswd file. The .htpasswd hash seems to be ok but I can't figure out
> why it accepts input other than the real password.

I don't use .htaccess (or .htpasswd), so I can't offer a solution for you.  If no one else can either, you might try an Apache list.


- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OT: strange .htaccess problem

stevepiercy
In reply to this post by kimonostereo
On Friday, July 31, 2009, [hidden email] (Scott Yoshinaga) pronounced:

>When I access a password protected page, it will accept the correct  
>username and password. This is normal. What isn't normal is that I can  
>also get to the page by using the correct username and password with  
>anything else at the end of it!
>
>for example:
>password: helloworld
>will allow access, but so will
>password: helloworldthisismoretext
>and anything else for that matter.
>
>Not sure what the problem is but i've done everything I can think of  
>to get it NOT to work that way.
>
>I have another server running almost the same configuration and it  
>doesn't have this issue at all.
>
>Have any of you see this?

Nope, never seen it.

What is different between the two servers?  Specifically compare Apache configuration files at all levels, from server to virtual host to .htaccess.

When requesting a protected page, what does the authentication prompt state?  It should state something close to:

    Authentication Required

    A username and password are being requested by [URL].  The site says:
    "[fully qualified domain name]"

...with no mention of Lasso.

What happens if you quit and relaunch the browser, then try to authenticate again?

Perhaps you have cached some credentials, and Apache is falling back on a default authentication.

--steve

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OT: strange .htaccess problem

kimonostereo
Okay I think I figured this one out. Thanks for the suggestion on  
checking out apache list.

I was using plain ol httpaswd -c to create the .htpasswd files.

That uses crypt by default. Unfortunately it states:
When using the crypt() algorithm, note that only the first 8  
characters of the password are used to form the password. If the  
supplied password is longer, the extra characters will be silently  
discarded.

So I have to use htpasswd -cm to use MD5 instead. Tested this out and  
it solves the problem of only 8 characters.
*whew*!

More info here:
http://httpd.apache.org/docs/2.2/programs/htpasswd.html


thanks all!
\\scott\\



On Jul 31, 2009, at 9:42 AM, Steve Piercy - Web Site Builder wrote:

> On Friday, July 31, 2009, [hidden email] (Scott Yoshinaga)  
> pronounced:
>
>> When I access a password protected page, it will accept the correct
>> username and password. This is normal. What isn't normal is that I  
>> can
>> also get to the page by using the correct username and password with
>> anything else at the end of it!
>>
>> for example:
>> password: helloworld
>> will allow access, but so will
>> password: helloworldthisismoretext
>> and anything else for that matter.
>>
>> Not sure what the problem is but i've done everything I can think of
>> to get it NOT to work that way.
>>
>> I have another server running almost the same configuration and it
>> doesn't have this issue at all.
>>
>> Have any of you see this?
>
> Nope, never seen it.
>
> What is different between the two servers?  Specifically compare  
> Apache configuration files at all levels, from server to virtual  
> host to .htaccess.
>
> When requesting a protected page, what does the authentication  
> prompt state?  It should state something close to:
>
>    Authentication Required
>
>    A username and password are being requested by [URL].  The site  
> says:
>    "[fully qualified domain name]"
>
> ...with no mention of Lasso.
>
> What happens if you quit and relaunch the browser, then try to  
> authenticate again?
>
> Perhaps you have cached some credentials, and Apache is falling back  
> on a default authentication.
>
> --steve
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy               Web Site Builder               Soquel, CA
> <[hidden email]>                  <http://www.StevePiercy.com/>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/