Page 1 of 2

Logins, .htaccess, and security

Posted: Fri Nov 28, 2003 2:27 pm
by nufferkay
Hey all,

I'm working on an app that handles publishing of event information. At this point, it doesn't need to be able to support multiple users.

The question: Is it safe to protect the admin functions by just sticking those scripts in a .htaccess-protected directory rather than adding an authentication system?

If it becomes more complex and begins to require multi-user authentication, obviously I'll add that in, but I suspect it never will.

What sorts of things should I consider when deciding how to handle this?

thanks!
-N

Posted: Thu Dec 11, 2003 2:30 pm
by AnsonM
This is pretty old... but if you want some help... please PM me and I can help.

Posted: Fri Dec 12, 2003 2:23 am
by twigletmac
Why not help by adding comments to the board? That way you don't just help the OP (original poster) but anyone else who has a similar question.

Mac

Posted: Sun Dec 14, 2003 4:44 am
by cybaf
I would say that using .htaccess is not really a security measure. because it is really easy to break into such a system. but I guess it depends on the need for security. I tend to use an authentification system in all cases, due to security and style issues.

//cybaf

Posted: Sun Dec 14, 2003 12:46 pm
by nufferkay
Hi folks,

Sorry, my internet connection has been down for several days. Thanks for your replies.

cybaf, in what way is a .htaccess - protected directory easy to break into? Do you mean that the username/password check is easy to circumvent? I guess I don't know enough about Apache...

thanks again,
-N

Posted: Sun Dec 14, 2003 2:10 pm
by delorian
It is well known that security is a very complex matter and it is hard to achieve a good level of it. One can say that something super-secure that is not used in proper way is not secure at all, and the worst password is better than no password at all. So if you do not need the super-duper-extra-protection, and you would like to use Apache authentication methods, I would choose Digest instead of Basic and SSL connection. Sniffing is much harder then, but not imposible. The disadvantage of using Digest method is that it is not supported by php (if I am wrong, sorry, I did not used it for a while) and does not sets PHP_AUTH_USER, and PHP_AUTH_PW variables. You can also use SSL client authentication. I never done than, but read about it. You client computer has its own key which is required for login. This, plus you password, can give you something, not big, but something.

Useful links:

http://apache.org
http://modssl.org

Posted: Sun Dec 14, 2003 2:29 pm
by nufferkay
So basically, if none of the data being transmitted is sensitive (except of course for the login), I should be OK just using Digest authentication?

I suppose if I integrated authentication into my app, I'd have to use SSL to send the username/pwd with any degree of security anyway, huh?

Posted: Sun Dec 14, 2003 4:23 pm
by delorian
nufferkay wrote:So basically, if none of the data being transmitted is sensitive (except of course for the login), I should be OK just using Digest authentication?
Every data which is used to proove your id is sensitive. When you use Digest the login and password are sent in hash form, but still they are sent in plain text. Someone could sniff those hashed values and use it for log in into to your system, but of course it is harder than in Basic method. So if you also use SSL you will get rid of most of (but not all) the sniffers. Of course you are not completely safe, but who is today :D

My advise: do not panic (only kernels are allowed to panic from time to time :D), use as many security measures as neccessary, but do not exaggerate and do not use something you do not know how it works.

Posted: Thu Dec 18, 2003 6:26 am
by cybaf
digest login is a better choice, but it is not supported by all browsers (AFAIK)...

What I was talking about is that when you are using .htaccess as a loginmethod, the username and password that are sent over the network can easily be picked up by someone who is sniffing the network. And when they have the username and password, they can obviously login at any time. SSL is of course the best security measure, when it comes to preventing eavsdropping on the network, however, I personally think that it is too expensive to get a signed certificate from verisign, and it is quite ugly with a popup if you sign it your self...

//cybaf

Posted: Sun Dec 21, 2003 2:12 pm
by nufferkay
thanks, cybaf and delorian.

So in the end (assuming that I'm not about to buy an SSL certificate), what would you recommend doing?

-N

Posted: Sun Dec 21, 2003 2:24 pm
by basdog22
I guess this post is solved by i will add my thoughts here:

I think using an authentication system everytime is a better option.

Explain...
If it becomes more complex and begins to require multi-user authentication, obviously I'll add that in, but I suspect it never will.
My way of thinking is always for the future :wink: so why not adding the system now and have your mind focused on other issues?

Never say Never. Even if the odds are 99% not to need it.

I hope you do the right thing

Posted: Sun Dec 21, 2003 2:45 pm
by nufferkay
But even with an authentication system, the username/pwd are being sent in plaintext, no?

Posted: Sun Dec 21, 2003 5:10 pm
by infolock
why not just use sessions.

http://www.php.net/session

Posted: Mon Dec 22, 2003 12:28 pm
by nufferkay
Er, I figure that in implementing a login script, I'd use sessions - but sessions don't eliminate the need for a login and sending plaintext username/pwd.

Posted: Mon Dec 22, 2003 12:35 pm
by delorian
I think that SSL (and some methods of tunneling) eliminate the need of sending username/password in plaintext. Is there any other option :?: :D