473,434 Members | 1,829 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > http authentication .vs. session authentication

Join Bytes to post your question to a community of 473,434 software developers and data experts.

HTTP Authentication .vs. Session Authentication

Greetings. I am designing a PHP application (yes, I have
investigated using existing applications). I cannot use HTTPS
for reasons I shall not disclose. I must authenticate users
against a database (MySQL) before granting them access. There
are two methods I am considering: HTTP authentication, and session
authentication. My webpage is spread across multiple scripts, and
the user must not have to repeatedly reauthenticate him/herself.
It does not matter, however, if the login session remains or is
destroyed when the browser closes, although destruction is
preferred.

To my knowledge, PHP only supports Basic HTTP authentication.
This would be easier, and if it matches session authentication in
security, I would prefer to use it. Session authentication would
be accomplished via a hashed password supplied in a form, sent via
POST, after which the userid or another identifying piece of data
would be stored in a session variable. My webserver does host other
websites, and I cannot adjust its configuration. It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?

Any recommendations would be greatly appreciated.

--
Anonymous
Jul 17 '05 #1
1 2892
Anonymous wrote:
It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?


This true, although the credentials are base64 encoded. Sending the
credentials to satisfy Basic authentication would be done as follows:

$user = 'user';
$pass = 'pass';

header("Authorization: Basic " . base64endode("$user:$pass"));

Using session based authentication will only be saver because the
credentials are send just once. However, the cookie header, which contains
the session id, is send in plain text also each time a request is made.

If you really care about security, SSL tunneling would be the way to go.
JW

Jul 17 '05 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

10
Authentication with sessions...
by: Mark H | last post by:
Hey all-- I'm building a database and I basically need to keep out people who aren't authorized, but it's not like I need top security here. I'm just doing basic user/pass of a SQL database, and...
PHP
1
ASP.NET Forms Authentication Questions...
by: Paul Daly (MCP) | last post by:
Background: I want to be able to authenticate users whose usernames & passwords are stored in a SQL database. I only want certain pages to require authentication. I have tried to implement this...
.NET Framework
4
ASP.NET Authentication exception case
by: Jay | last post by:
I have authentication set for my site but I need one page to be an exception case. Namely my forgot password page. How do I tell the webconfig file to authenciate all pages except one page? ...
C# / C Sharp
5
Multiple sessions and forms-based authentication
by: Rob | last post by:
I have an ASP.NET application that uses forms-based authentication. A user wishes to be able to run multiple sessions of this application simultaneously from the user's client machine. The...
ASP.NET
1
Catching forms authentication expiry
by: Andy Fish | last post by:
Hi, I have an asp.net web app whereby I authenticate the user with Forms Authentication and store details about him in the session. I want to be able to catch an event when the users...
ASP.NET
3
HTTP/1.1 500 Internal Server Error
by: Niranjan Roy | last post by:
When trying to create Web application project from inside my Visual Studio.Net, I am getting the following error: --------------------------- Microsoft Development Environment ...
ASP.NET
4
3-Tier Web Application, forms authentication, persistence of user
by: Trevor Andrew | last post by:
Hi There, Hopefully this isn't too difficult a question to express here. I have a 3 tier application. 1. Presentation Tier: ASP.NET web application. 2. Middle Tier: ASP.NET Web Services that...
ASP.NET
2
Authentication: multiple auth types for one site
by: Steve | last post by:
I'm looking for feedback on an authentication solution we are considering for an ASP.NET 2.0 project. The site will be accessed by both internal users who are logged into the Windows domain, and...
ASP.NET
1
Forms Authentication Problem: Session expired, pages can still be visited.
by: gnewsgroup | last post by:
I am using forms authentication for a web application. Like many other member web application, my web application prints out Welcome! John Doe (Logout) on the top right corner of each...
ASP.NET
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
0
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!