471,579 Members | 1,260 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,579 software developers and data experts.

HTTP Authentication .vs. Session Authentication

Greetings. I am designing a PHP application (yes, I have
investigated using existing applications). I cannot use HTTPS
for reasons I shall not disclose. I must authenticate users
against a database (MySQL) before granting them access. There
are two methods I am considering: HTTP authentication, and session
authentication. My webpage is spread across multiple scripts, and
the user must not have to repeatedly reauthenticate him/herself.
It does not matter, however, if the login session remains or is
destroyed when the browser closes, although destruction is
preferred.

To my knowledge, PHP only supports Basic HTTP authentication.
This would be easier, and if it matches session authentication in
security, I would prefer to use it. Session authentication would
be accomplished via a hashed password supplied in a form, sent via
POST, after which the userid or another identifying piece of data
would be stored in a session variable. My webserver does host other
websites, and I cannot adjust its configuration. It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?

Any recommendations would be greatly appreciated.

--
Anonymous
Jul 17 '05 #1
1 2810
Anonymous wrote:
It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?


This true, although the credentials are base64 encoded. Sending the
credentials to satisfy Basic authentication would be done as follows:

$user = 'user';
$pass = 'pass';

header("Authorization: Basic " . base64endode("$user:$pass"));

Using session based authentication will only be saver because the
credentials are send just once. However, the cookie header, which contains
the session id, is send in plain text also each time a request is made.

If you really care about security, SSL tunneling would be the way to go.
JW

Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

10 posts views Thread by Mark H | last post: by
1 post views Thread by Paul Daly (MCP) | last post: by
1 post views Thread by Andy Fish | last post: by
3 posts views Thread by Niranjan Roy | last post: by
reply views Thread by XIAOLAOHU | last post: by
reply views Thread by lumer26 | last post: by
reply views Thread by Vinnie | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.