Logins, .htaccess, and security

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

nufferkay
Forum Newbie
Posts: 24
Joined: Fri Nov 28, 2003 2:27 pm

Logins, .htaccess, and security

Post by nufferkay »

Hey all,

I'm working on an app that handles publishing of event information. At this point, it doesn't need to be able to support multiple users.

The question: Is it safe to protect the admin functions by just sticking those scripts in a .htaccess-protected directory rather than adding an authentication system?

If it becomes more complex and begins to require multi-user authentication, obviously I'll add that in, but I suspect it never will.

What sorts of things should I consider when deciding how to handle this?

thanks!
-N
AnsonM
Forum Commoner
Posts: 72
Joined: Thu Sep 25, 2003 7:21 am

Post by AnsonM »

This is pretty old... but if you want some help... please PM me and I can help.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Why not help by adding comments to the board? That way you don't just help the OP (original poster) but anyone else who has a similar question.

Mac
User avatar
cybaf
Forum Commoner
Posts: 89
Joined: Tue Oct 01, 2002 5:28 am
Location: Gothenburg Sweden

Post by cybaf »

I would say that using .htaccess is not really a security measure. because it is really easy to break into such a system. but I guess it depends on the need for security. I tend to use an authentification system in all cases, due to security and style issues.

//cybaf
nufferkay
Forum Newbie
Posts: 24
Joined: Fri Nov 28, 2003 2:27 pm

Post by nufferkay »

Hi folks,

Sorry, my internet connection has been down for several days. Thanks for your replies.

cybaf, in what way is a .htaccess - protected directory easy to break into? Do you mean that the username/password check is easy to circumvent? I guess I don't know enough about Apache...

thanks again,
-N
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

It is well known that security is a very complex matter and it is hard to achieve a good level of it. One can say that something super-secure that is not used in proper way is not secure at all, and the worst password is better than no password at all. So if you do not need the super-duper-extra-protection, and you would like to use Apache authentication methods, I would choose Digest instead of Basic and SSL connection. Sniffing is much harder then, but not imposible. The disadvantage of using Digest method is that it is not supported by php (if I am wrong, sorry, I did not used it for a while) and does not sets PHP_AUTH_USER, and PHP_AUTH_PW variables. You can also use SSL client authentication. I never done than, but read about it. You client computer has its own key which is required for login. This, plus you password, can give you something, not big, but something.

Useful links:

http://apache.org
http://modssl.org
nufferkay
Forum Newbie
Posts: 24
Joined: Fri Nov 28, 2003 2:27 pm

Post by nufferkay »

So basically, if none of the data being transmitted is sensitive (except of course for the login), I should be OK just using Digest authentication?

I suppose if I integrated authentication into my app, I'd have to use SSL to send the username/pwd with any degree of security anyway, huh?
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

nufferkay wrote:So basically, if none of the data being transmitted is sensitive (except of course for the login), I should be OK just using Digest authentication?
Every data which is used to proove your id is sensitive. When you use Digest the login and password are sent in hash form, but still they are sent in plain text. Someone could sniff those hashed values and use it for log in into to your system, but of course it is harder than in Basic method. So if you also use SSL you will get rid of most of (but not all) the sniffers. Of course you are not completely safe, but who is today :D

My advise: do not panic (only kernels are allowed to panic from time to time :D), use as many security measures as neccessary, but do not exaggerate and do not use something you do not know how it works.
User avatar
cybaf
Forum Commoner
Posts: 89
Joined: Tue Oct 01, 2002 5:28 am
Location: Gothenburg Sweden

Post by cybaf »

digest login is a better choice, but it is not supported by all browsers (AFAIK)...

What I was talking about is that when you are using .htaccess as a loginmethod, the username and password that are sent over the network can easily be picked up by someone who is sniffing the network. And when they have the username and password, they can obviously login at any time. SSL is of course the best security measure, when it comes to preventing eavsdropping on the network, however, I personally think that it is too expensive to get a signed certificate from verisign, and it is quite ugly with a popup if you sign it your self...

//cybaf
nufferkay
Forum Newbie
Posts: 24
Joined: Fri Nov 28, 2003 2:27 pm

Post by nufferkay »

thanks, cybaf and delorian.

So in the end (assuming that I'm not about to buy an SSL certificate), what would you recommend doing?

-N
basdog22
Forum Contributor
Posts: 158
Joined: Sun Nov 30, 2003 3:03 pm
Location: Greece

Post by basdog22 »

I guess this post is solved by i will add my thoughts here:

I think using an authentication system everytime is a better option.

Explain...
If it becomes more complex and begins to require multi-user authentication, obviously I'll add that in, but I suspect it never will.
My way of thinking is always for the future :wink: so why not adding the system now and have your mind focused on other issues?

Never say Never. Even if the odds are 99% not to need it.

I hope you do the right thing
nufferkay
Forum Newbie
Posts: 24
Joined: Fri Nov 28, 2003 2:27 pm

Post by nufferkay »

But even with an authentication system, the username/pwd are being sent in plaintext, no?
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

why not just use sessions.

http://www.php.net/session
nufferkay
Forum Newbie
Posts: 24
Joined: Fri Nov 28, 2003 2:27 pm

Post by nufferkay »

Er, I figure that in implementing a login script, I'd use sessions - but sessions don't eliminate the need for a login and sending plaintext username/pwd.
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

I think that SSL (and some methods of tunneling) eliminate the need of sending username/password in plaintext. Is there any other option :?: :D
Post Reply