Http authentication vs custom authentication

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Http authentication vs custom authentication

Post by raghavan20 »

When shd one go for Http authentication? what is the significant advantage on using global variables to authenticate a user?

Can anyone contrast btw custom-made authentication using md5 and http-authentication?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

If you use http authentication, the user will be logged in as long as the browser window is open.. Afaik you only ask username+password from a http authentication box.. Where you could ask for a domain/workgroup/whatever if you're using custom authentication...
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

HTTP (htaccess) authentication is according to me something highly temporary, or only for a specific reason, such as admininterface for Your private page.

Using this for any other isn't very useful as it can't query from databases, can't have restrictions/rights, have varying content for people that are not logged in, no logout possibility, incompatible with some older browsers (and can fail with newer sometimes too), troublesome sometimes, relying on server capability (which isn't always enabled or available)... a lot of more things too.

Using it for more than 1 person or as a temporary solution would make me say "noo, bad doggie!" :P
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Http authentication vs custom authentication

Post by Roja »

raghavan20 wrote:When shd one go for Http authentication? what is the significant advantage on using global variables to authenticate a user?

Can anyone contrast btw custom-made authentication using md5 and http-authentication?
Well, there are two common forms of http authentication, so lets clarify:

- In *basic* authentication, the user sends his username and password in cleartext, which the server checks against an encrypted store.

- In *digest* authentication, the credentials are sent via md5.

Digest requires a module to be installed on apache (mod_auth_digest), requires apache (for the most part, although there is a *different* equivalent for IIS), and requires running a script (command-line) to add users to the auth list.

But the general question of "Whats different from http auth to php-designed auth":

- In php, you can control the appearance. In http auth, its an ugly dialog box, and all you can control is the wording

- In php, you get to choose what encryption to use. In http auth, you only get two choices.

- In php, you can store credentials in a flat file, in a database, in the code itself, on another site, and so on. In http, it has to be in a flat file, which has to be created using commandline tools.

All in all, I have never seen a good/substantial reason to use http auth. Its not cross-platform, its rigid, and its outdated.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

(modified)

Post by raghavan20 »

I have already got a php authentication in place. Since this concept was new to me when I migrated from ASP I was wondering how useful is http authentication.

After goin thru all of your valuable comments, I am able to summarize 'http authentication' can be used when
1. one wanted to access few secure pages within a site
2. few people wanted to have access to
3. you need moderate security and the user interface is not important(the dialog box)
4. domains are not in the picture
5. session would supposedly exist for a small time(I mean if you dont want to span several pages with the session)
Last edited by raghavan20 on Wed Jun 22, 2005 4:09 pm, edited 1 time in total.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

raghavan20 wrote: 3. security is important and not the user interface(the dialog box)
Thats not accurate. MD5 is considered insecure now, and http authentication doesn't give you an alternative. If security is important, you should be using sha256 (or similarly stronger algorithms).
raghavan20 wrote: 5. session would supposedly exist for a small time
The session time for http auth is exactly the same as session_id's in php: Until the user closes the browser window, or changes context.

The other three I can't give a simple yes/no on, because they depend on your definitions. :)
Post Reply