NYCPHP Meetup

NYPHP.org

[nycphp-talk] NEW PHundamentals Question - HTTP Authentication

Matthew Terenzio webmaster at localnotion.com
Sat Oct 23 08:05:14 EDT 2004 

I think it's perfectly acceptable on an Intranet to authenticate a 
known user, but obviously not secure enough for sensitive areas on the 
public web.
For non-secure login pages, I guess it's just an easy way to accomplish 
"lite" security.

The questions I ask are, "Is the effort it takes  to breach this 
security  going to be worth it for anyone?" the answer is usually 
clearly yes or no. And of course, "How paranoid are you?" Sounds funny, 
but the answer to this changes depending on the environment (intranet, 
public, wireless) and depending on the data you are hiding.

While it is a step up from clear text, It should be made abundantly 
clear that it is not for purposes of hiding sensitive data from 
hackers.


On Oct 22, 2004, at 7:47 PM, csnyder wrote:

> While it's true that auth over SSL is the ideal situation, for sites
> on a virtual host I find HTTP Digest Authentication to be an
> acceptable compromise, and not really any harder to set up in an
> .htaccess context.
>
> But I think this is a PHundamental because of PHP's built-in support
> for requesting a username and password via Basic Authentication. The
> idea is that you put:
>
>    header( 'WWW-Authenticate: basic realm="Members Only" ' );
>    header( 'HTTP/1.0 401 Unauthorized' );
>
> At the top of your script, which causes the browser to cough up one of
> those little username/password dialogs. On submit, the request comes
> back to your script with $_SERVER['PHP_AUTH_USER'] and
> $_SERVER['PHP_AUTH_PW'], as documented in the manual here:
> http://www.php.net/manual/en/features.http-auth.php
>
> So now you can look those up in a MySQL table or something (or DBM if
> you like) and allow access or not.
>
> I've always thought it was a silly feature -- why not just code a
> login form? But I can see the utility for intranet applications, where
> you don't need it to be pretty and you don't need all the "Forgot your
> password?" and "Register here" stuff.
> _______________________________________________
> New York PHP Talk
> Supporting AMP Technology (Apache/MySQL/PHP)
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.newyorkphp.org

More information about the talk mailing list