Welcome! Log In Create A New Profile


Re: auth_http - Password always different

Maxim Dounin
December 23, 2019 07:42AM

On Mon, Dec 23, 2019 at 12:47:11PM +0100, nsclick@gmx.de wrote:

> Hello,
> I'm trying to use "auth_http" to handle the authentication for SMTP.
> The auth script itself is a PHP script. At the beginning of the script I'm doing the following (just for testing!!! The passwords will not be logged later):
> if( !isset($_SERVER["HTTP_AUTH_USER"]) || !isset($_SERVER["HTTP_AUTH_PASS"]) )
> {
> // User or Password are NOT set.
> fail("Invalid user or password");
> }
> $username = $_SERVER["HTTP_AUTH_USER"];
> $userpass = $_SERVER["HTTP_AUTH_PASS"];
> $protocol = $_SERVER["HTTP_AUTH_PROTOCOL"];
> $fd=fopen('php_mail.log', 'a');
> fputs($fd, "User: [".$username."] Protocol: [".$protocol."] Pass: [".$userpass."]\n");
> fclose($fd);
> However, the passwords I see in the log are different all the time for the same user.
> Often they consist of 32 hexadecimal digits (but never the same combination) or sometimes they are simply the username with brackets around.
> For my understanding the received password should be the same all the time, because otherwise I cannot check the user credentials.
> Is there a problem with my understanding or do I miss something?

Check the Auth-Method header, most likely the auth method used is
not plain, but apop or cram-md5. See docs here:


for details. More information about APOP and CRAM-MD5 can be
found in relevant RFCs.

Maxim Dounin
nginx mailing list
Subject Author Posted

auth_http - Password always different

nsclick December 23, 2019 06:48AM

Re: auth_http - Password always different

Maxim Dounin December 23, 2019 07:42AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 91
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready