SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Apr 2001
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Using .htaccess on Apache or php and MySql for user authentication?
    Which is really the more secure?

  2. #2
    AdSpeed.com Son Nguyen's Avatar
    Join Date
    Aug 2000
    Location
    Silicon Valley
    Posts
    2,241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It depends how secure is your implementation of PHP & MySQL to authenticate users.
    But .htaccess is a built-in authentication method, so I guess it's simpler, it might not suitable for all our webmaster need, so we have to derive a custom solution.
    - Son Nguyen
    AdSpeed.com - Ad Serving and Ad Management Made Easy

  3. #3
    Grumpy Mole Man Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,067
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd say using PHP and mySQL with a HTML form and cookies is more secure, for two reasons.

    First of all the main way either of these can be compromised is by someone using a "packet sniffer" - this is software that lets you see the contents of packets travelling through a section of a network that you have control over. What I'm about to say is something I've only just thought of myself, I've never seen anyone else say it so it could be complete rubbish. Thing is I just realised that HTTP authentication is done with a special header. Someone running a packet sniffer could have it set to filter and display all packets with that kind of header in - thus they'd be able to grab all usernames and passwords that use HTTP.

    If you use PHP / mySQL and cookies your information will be trasnsmitted as a standard posted form or cookie. These are all over the web now, and much less rare than HTTP authentication headers. As a result you wouldn't be able to run a packet sniffer that grabs these automatically as each site's auth information would look completely different.

    I have no idea how prolific packet sniffers are, or how viable a tool for cracking they really are. All I know is that they are the reason you need to use SSL for truly secure connections (please correct me if I'm wrong).

    The other reason PHP authentication would be more secure is that as far as I know Apache auth has no real defence against "force" attacks. Get it wrong 3 times and it'll tell you to go away, but restart your browser and you can try again. If you are using PHP you can code in your own defences such as disabling an account after 10 failed logins, banning an IP address from trying to log in if they get the login wrong 3 times etc.

  4. #4
    AdSpeed.com Son Nguyen's Avatar
    Join Date
    Aug 2000
    Location
    Silicon Valley
    Posts
    2,241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One thing I'm not so sure about but I guess it's logical.
    It's called "authentication header" so it wouldn't be that simple like plain text header to get the information directly from.
    - Son Nguyen
    AdSpeed.com - Ad Serving and Ad Management Made Easy

  5. #5
    SitePoint Enthusiast nguip's Avatar
    Join Date
    Apr 2001
    Location
    Malaysia
    Posts
    95
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess the correct word should be "HTTP Header". This is sent by the server after the client make a request for content.

    When you use HTTP Authentication by .htaccess, the server will then send a HTTP header with the line added:-

    WWW-Authenticate

    From CGI Programming with Perl pg 36
    The WWW-Authenticate field is used along with a status code of 401 to indicate that the requested resource requires a such a login.
    Hope this help
    Ngu I.P.
    Web Developer


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •