raghavan20 wrote:When shd one go for Http authentication? what is the significant advantage on using global variables to authenticate a user?
Can anyone contrast btw custom-made authentication using md5 and http-authentication?
Well, there are two common forms of http authentication, so lets clarify:
- In *basic* authentication, the user sends his username and password in
cleartext, which the server checks against an encrypted store.
- In *digest* authentication, the credentials are sent via md5.
Digest requires a module to be installed on apache (mod_auth_digest), requires apache (for the most part, although there is a *different* equivalent for IIS), and requires running a script (command-line) to add users to the auth list.
But the general question of "Whats different from http auth to php-designed auth":
- In php, you can control the appearance. In http auth, its an ugly dialog box, and all you can control is the wording
- In php, you get to choose what encryption to use. In http auth, you only get two choices.
- In php, you can store credentials in a flat file, in a database, in the code itself, on another site, and so on. In http, it has to be in a flat file, which has to be created using commandline tools.
All in all, I have never seen a good/substantial reason to use http auth. Its not cross-platform, its rigid, and its outdated.