NYCPHP Meetup

NYPHP.org

[nycphp-talk] NEW PHundamentals Question - HTTP Authentication

Hans Zaunere hans at nyphp.com
Sun Oct 24 19:29:52 EDT 2004


> The limitations (can't see safe content, can't logout) are only true
> with .htaccess based HTTP Auth. But if you implement it in PHP
> instead, you should be able to accomplish both those things using
> session vars.

Exactly; this PHunny regards HTTP auth as a PHP feature, per:

http://us2.php.net/manual/en/features.http-auth.php

This eliminates the need for any .htaccess or other Apache directives,
logout is possible, and the user database could be anything that PHP can
speak to.  The headers and logic are controlled entirely in PHP.

And according to the link above (the first line of the page):

"The HTTP Authentication hooks in PHP are only available when it is
running as an Apache module and is hence not available in the CGI
version."

Also, as I read through that page, the number of "Notes", "Configuration
Note", "Compatibility Note", and so forth subheads, quickly lends me to
think it's hard to determine a good time to use them.  I suppose for a
quick and dirty auth system, they are built in and handy, but then so is
.htaccess.

Lastly, the plain-text password issue isn't related to HTTP auth.  If
you create an extremely wonderful PHP solution (that doesn't use the
HTTP auth headers), and it's over HTTP versus HTTPS, your password is
just as clear as ever.

So, at the end of the day, with the advent of sophisticated web
languages like PHP, I think HTTP auth headers are antiquated.

H




More information about the talk mailing list