473,224 Members | 1,688 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,224 software developers and data experts.

HTTP Authentication .vs. Session Authentication

Greetings. I am designing a PHP application (yes, I have
investigated using existing applications). I cannot use HTTPS
for reasons I shall not disclose. I must authenticate users
against a database (MySQL) before granting them access. There
are two methods I am considering: HTTP authentication, and session
authentication. My webpage is spread across multiple scripts, and
the user must not have to repeatedly reauthenticate him/herself.
It does not matter, however, if the login session remains or is
destroyed when the browser closes, although destruction is

To my knowledge, PHP only supports Basic HTTP authentication.
This would be easier, and if it matches session authentication in
security, I would prefer to use it. Session authentication would
be accomplished via a hashed password supplied in a form, sent via
POST, after which the userid or another identifying piece of data
would be stored in a session variable. My webserver does host other
websites, and I cannot adjust its configuration. It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?

Any recommendations would be greatly appreciated.

Jul 17 '05 #1
1 2883
Anonymous wrote:
It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?

This true, although the credentials are base64 encoded. Sending the
credentials to satisfy Basic authentication would be done as follows:

$user = 'user';
$pass = 'pass';

header("Authorization: Basic " . base64endode("$user:$pass"));

Using session based authentication will only be saver because the
credentials are send just once. However, the cookie header, which contains
the session id, is send in plain text also each time a request is made.

If you really care about security, SSL tunneling would be the way to go.

Jul 17 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: Mark H | last post by:
Hey all-- I'm building a database and I basically need to keep out people who aren't authorized, but it's not like I need top security here. I'm just doing basic user/pass of a SQL database, and...
by: Paul Daly (MCP) | last post by:
Background: I want to be able to authenticate users whose usernames & passwords are stored in a SQL database. I only want certain pages to require authentication. I have tried to implement this...
by: Jay | last post by:
I have authentication set for my site but I need one page to be an exception case. Namely my forgot password page. How do I tell the webconfig file to authenciate all pages except one page? ...
by: Rob | last post by:
I have an ASP.NET application that uses forms-based authentication. A user wishes to be able to run multiple sessions of this application simultaneously from the user's client machine. The...
by: Andy Fish | last post by:
Hi, I have an asp.net web app whereby I authenticate the user with Forms Authentication and store details about him in the session. I want to be able to catch an event when the users...
by: Niranjan Roy | last post by:
When trying to create Web application project from inside my Visual Studio.Net, I am getting the following error: --------------------------- Microsoft Development Environment ...
by: Trevor Andrew | last post by:
Hi There, Hopefully this isn't too difficult a question to express here. I have a 3 tier application. 1. Presentation Tier: ASP.NET web application. 2. Middle Tier: ASP.NET Web Services that...
by: Steve | last post by:
I'm looking for feedback on an authentication solution we are considering for an ASP.NET 2.0 project. The site will be accessed by both internal users who are logged into the Windows domain, and...
by: gnewsgroup | last post by:
I am using forms authentication for a web application. Like many other member web application, my web application prints out Welcome! John Doe (Logout) on the top right corner of each...
by: isladogs | last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, Mike...
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.