Page 1 of 1

Http authentication vs custom authentication

Posted: Tue Jun 21, 2005 11:53 pm
by raghavan20
When shd one go for Http authentication? what is the significant advantage on using global variables to authenticate a user?

Can anyone contrast btw custom-made authentication using md5 and http-authentication?

Posted: Wed Jun 22, 2005 7:37 am
by timvw
If you use http authentication, the user will be logged in as long as the browser window is open.. Afaik you only ask username+password from a http authentication box.. Where you could ask for a domain/workgroup/whatever if you're using custom authentication...

Posted: Wed Jun 22, 2005 8:09 am
by Syranide
HTTP (htaccess) authentication is according to me something highly temporary, or only for a specific reason, such as admininterface for Your private page.

Using this for any other isn't very useful as it can't query from databases, can't have restrictions/rights, have varying content for people that are not logged in, no logout possibility, incompatible with some older browsers (and can fail with newer sometimes too), troublesome sometimes, relying on server capability (which isn't always enabled or available)... a lot of more things too.

Using it for more than 1 person or as a temporary solution would make me say "noo, bad doggie!" :P

Re: Http authentication vs custom authentication

Posted: Wed Jun 22, 2005 8:45 am
by Roja
raghavan20 wrote:When shd one go for Http authentication? what is the significant advantage on using global variables to authenticate a user?

Can anyone contrast btw custom-made authentication using md5 and http-authentication?
Well, there are two common forms of http authentication, so lets clarify:

- In *basic* authentication, the user sends his username and password in cleartext, which the server checks against an encrypted store.

- In *digest* authentication, the credentials are sent via md5.

Digest requires a module to be installed on apache (mod_auth_digest), requires apache (for the most part, although there is a *different* equivalent for IIS), and requires running a script (command-line) to add users to the auth list.

But the general question of "Whats different from http auth to php-designed auth":

- In php, you can control the appearance. In http auth, its an ugly dialog box, and all you can control is the wording

- In php, you get to choose what encryption to use. In http auth, you only get two choices.

- In php, you can store credentials in a flat file, in a database, in the code itself, on another site, and so on. In http, it has to be in a flat file, which has to be created using commandline tools.

All in all, I have never seen a good/substantial reason to use http auth. Its not cross-platform, its rigid, and its outdated.

(modified)

Posted: Wed Jun 22, 2005 11:27 am
by raghavan20
I have already got a php authentication in place. Since this concept was new to me when I migrated from ASP I was wondering how useful is http authentication.

After goin thru all of your valuable comments, I am able to summarize 'http authentication' can be used when
1. one wanted to access few secure pages within a site
2. few people wanted to have access to
3. you need moderate security and the user interface is not important(the dialog box)
4. domains are not in the picture
5. session would supposedly exist for a small time(I mean if you dont want to span several pages with the session)

Posted: Wed Jun 22, 2005 11:52 am
by Roja
raghavan20 wrote: 3. security is important and not the user interface(the dialog box)
Thats not accurate. MD5 is considered insecure now, and http authentication doesn't give you an alternative. If security is important, you should be using sha256 (or similarly stronger algorithms).
raghavan20 wrote: 5. session would supposedly exist for a small time
The session time for http auth is exactly the same as session_id's in php: Until the user closes the browser window, or changes context.

The other three I can't give a simple yes/no on, because they depend on your definitions. :)