| J.O. Aho 2005-01-28, 8:56 am |
| no@emails.thx wrote:
> Hi
>
> I was wondering what people's opinions are regarding the verious
> merits of doing user/member authentication on a site? I have a
> database of users with membership levels and would like a good secure
> way of having people log on and access their information.
>
> I have seen 2 ways described - one using the PHP_AUTH_USER method
> (getting user/password in a popup window) and another using cookies &
> sessions (getting user/password from a <form> on the page) that was
> supposedly more secure.
>
> The PHP_AUTH_USER method looks by far the easiest to write and
> maintain but is it inherrantly less secure from hackers? Are there any
> good sites where this is discussed in reasonably simple terms?
Everything depends on how the data is sent, usually you use http to transfer
data when you use a form, this is a unsecure way to send, as it's easy to
"listen" to the traffic and you get everything in clear text, which makes that
the "listener" will get the password and login.
You need to see to that the login will be preformed over https and if you use
cookies, see to that they too are sent over https, even if you just use a hash
to determin who is logged in.
Regadles what you will use, you need to see that the data is sent over a
secure "line", I'm not sure if PHP_AUTH_USER is sent with ssl or not, you need
to check that up in the docs.
//Aho
|