By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,377 Members | 1,655 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,377 IT Pros & Developers. It's quick & easy.

HTTP Authentication .vs. Session Authentication

P: n/a
Greetings. I am designing a PHP application (yes, I have
investigated using existing applications). I cannot use HTTPS
for reasons I shall not disclose. I must authenticate users
against a database (MySQL) before granting them access. There
are two methods I am considering: HTTP authentication, and session
authentication. My webpage is spread across multiple scripts, and
the user must not have to repeatedly reauthenticate him/herself.
It does not matter, however, if the login session remains or is
destroyed when the browser closes, although destruction is
preferred.

To my knowledge, PHP only supports Basic HTTP authentication.
This would be easier, and if it matches session authentication in
security, I would prefer to use it. Session authentication would
be accomplished via a hashed password supplied in a form, sent via
POST, after which the userid or another identifying piece of data
would be stored in a session variable. My webserver does host other
websites, and I cannot adjust its configuration. It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?

Any recommendations would be greatly appreciated.

--
Anonymous
Jul 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Anonymous wrote:
It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?


This true, although the credentials are base64 encoded. Sending the
credentials to satisfy Basic authentication would be done as follows:

$user = 'user';
$pass = 'pass';

header("Authorization: Basic " . base64endode("$user:$pass"));

Using session based authentication will only be saver because the
credentials are send just once. However, the cookie header, which contains
the session id, is send in plain text also each time a request is made.

If you really care about security, SSL tunneling would be the way to go.
JW

Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.