Logins, .htaccess, and security
Moderator: General Moderators
Logins, .htaccess, and security
Hey all,
I'm working on an app that handles publishing of event information. At this point, it doesn't need to be able to support multiple users.
The question: Is it safe to protect the admin functions by just sticking those scripts in a .htaccess-protected directory rather than adding an authentication system?
If it becomes more complex and begins to require multi-user authentication, obviously I'll add that in, but I suspect it never will.
What sorts of things should I consider when deciding how to handle this?
thanks!
-N
I'm working on an app that handles publishing of event information. At this point, it doesn't need to be able to support multiple users.
The question: Is it safe to protect the admin functions by just sticking those scripts in a .htaccess-protected directory rather than adding an authentication system?
If it becomes more complex and begins to require multi-user authentication, obviously I'll add that in, but I suspect it never will.
What sorts of things should I consider when deciding how to handle this?
thanks!
-N
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
Hi folks,
Sorry, my internet connection has been down for several days. Thanks for your replies.
cybaf, in what way is a .htaccess - protected directory easy to break into? Do you mean that the username/password check is easy to circumvent? I guess I don't know enough about Apache...
thanks again,
-N
Sorry, my internet connection has been down for several days. Thanks for your replies.
cybaf, in what way is a .htaccess - protected directory easy to break into? Do you mean that the username/password check is easy to circumvent? I guess I don't know enough about Apache...
thanks again,
-N
It is well known that security is a very complex matter and it is hard to achieve a good level of it. One can say that something super-secure that is not used in proper way is not secure at all, and the worst password is better than no password at all. So if you do not need the super-duper-extra-protection, and you would like to use Apache authentication methods, I would choose Digest instead of Basic and SSL connection. Sniffing is much harder then, but not imposible. The disadvantage of using Digest method is that it is not supported by php (if I am wrong, sorry, I did not used it for a while) and does not sets PHP_AUTH_USER, and PHP_AUTH_PW variables. You can also use SSL client authentication. I never done than, but read about it. You client computer has its own key which is required for login. This, plus you password, can give you something, not big, but something.
Useful links:
http://apache.org
http://modssl.org
Useful links:
http://apache.org
http://modssl.org
Every data which is used to proove your id is sensitive. When you use Digest the login and password are sent in hash form, but still they are sent in plain text. Someone could sniff those hashed values and use it for log in into to your system, but of course it is harder than in Basic method. So if you also use SSL you will get rid of most of (but not all) the sniffers. Of course you are not completely safe, but who is todaynufferkay wrote:So basically, if none of the data being transmitted is sensitive (except of course for the login), I should be OK just using Digest authentication?
My advise: do not panic (only kernels are allowed to panic from time to time
digest login is a better choice, but it is not supported by all browsers (AFAIK)...
What I was talking about is that when you are using .htaccess as a loginmethod, the username and password that are sent over the network can easily be picked up by someone who is sniffing the network. And when they have the username and password, they can obviously login at any time. SSL is of course the best security measure, when it comes to preventing eavsdropping on the network, however, I personally think that it is too expensive to get a signed certificate from verisign, and it is quite ugly with a popup if you sign it your self...
//cybaf
What I was talking about is that when you are using .htaccess as a loginmethod, the username and password that are sent over the network can easily be picked up by someone who is sniffing the network. And when they have the username and password, they can obviously login at any time. SSL is of course the best security measure, when it comes to preventing eavsdropping on the network, however, I personally think that it is too expensive to get a signed certificate from verisign, and it is quite ugly with a popup if you sign it your self...
//cybaf
I guess this post is solved by i will add my thoughts here:
I think using an authentication system everytime is a better option.
Explain...
so why not adding the system now and have your mind focused on other issues?
Never say Never. Even if the odds are 99% not to need it.
I hope you do the right thing
I think using an authentication system everytime is a better option.
Explain...
My way of thinking is always for the futureIf it becomes more complex and begins to require multi-user authentication, obviously I'll add that in, but I suspect it never will.
Never say Never. Even if the odds are 99% not to need it.
I hope you do the right thing