Re: php vs. apache login verification security?

From: Tim Van Wassenhove (euki_at_pi.be)
Date: 02/26/04 

Date: 26 Feb 2004 01:00:41 GMT

On 2004-02-25, cool <coo@goontrytospamme.dk> wrote:
> Hi,
>
> I am having an argument with my boss, who is listening to an IT company
> telling him it is better for me to implement access to a website I am
> making with Apache authorization as opposed to doing the verification with
> PHP. The website will be on its own PC running Linux, Apache, mysql and
> basically nothing else. But there will be made access through the company
> firewall to be able to communicate with this machine.
>
> The PHP solution is better in my opinion, because I can easilly implement
> timing out the user after xxx minutes, easilly implement a lifetime on a
> user's password and then allow the user to choose his/her own password
> (stored encrypted in a database). Every page on the site, including
> pop-ups, can be protected by including a single function call that does
> the login and timeout check, and a redirection to a login page the user is
> not logged in or timed out.

The biggest drawback on PHP authentication is that you can only check
that the user is logged in, when a page with that authentication code in
is requested. When somebody request foo.doc your authentication
functions aren't going to be called...

I'm pretty sure that you can authenticate against a mysqldb, ldap,
whatever backend from htaccess too. 

-- 
http://home.mysth.be/~timvw

Relevant Pages