Hi guys

Can somebody help me understand how .htaccess encrypts/hashes a password which a user submits, to compare it to the one in .htpasswd?

I'm using PHP to create a .htpasswd file, but I'm not sure what the normal 'salt' a web server uses is.

At the moment, I'm going$password=crypt($_POST['password'],CRYPT_STD_DES);and then putting $username. ":" .$password at the end of the .htpasswd file. That never seems to generate the correct password hash in the .htpasswd file though.

So, can someone tell me how a server hashes a submitted password?

Many thanks,
A confused .htpasswd newbie

See if this article helps:

http://www.phptr.com/articles/article.asp?p=31690&seqNum=5&rl=1

Thanks Bear, that article had the answer...Apache's method of using crypt()s, which is to use the first two characters of the encrypted password as the salt.Lovely.

Leading on from this question, I have a question more to do with PHP than htaccess.

In any browser, if you try to access a folder with htaccess restrictions, it prompts you to enter a username and password. If you enter valid login details, PHP sets $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] with the correct details.

Is it possible to manually set these two $_SERVER variables, so that I could make a login page which functions the same as a htaccess login prompt?

Any link or info about this would be much appreciated.
If you think what I'm trying to do is impossible to do, please say - then I'll stop looking for a way to do this.

Thanks,
General newbie thing