Re: Opinion sort re user authentication ?

nospam_at_geniegate.com
Date: 12/21/04 

Date: Tue, 21 Dec 2004 03:01:47 GMT

Tony Benham <tonyb@kerrisway.freeserve.co.uk> wrote:
> I'm looking at schemes to add a user/passwd system to a website using
> php/mysql. I'm not storing financial data or anything very sensitive. I
> currently have protected pages in a directory area using fixed
> .htaccess/htpasswd files but would like more flexibility to allow users to
> have their own usernames/passwords rhather than a couple of fixed ones for
> the site.

By fixed, do you mean 1 username for area FOO and another for area BAR? Or do
you mean "the ability to add users without using the htpasswd utilities"?

If it's the former, (You don't mind manually adding users) just use apache
groups to limit who gets access to what.

> I've looked at various tutorials/examples, and most use php/mysql to store
> tables of users/passwds, but how this info is used seems to divide into 2
> approaches.
> 1.The users are added into a scheme using .htaccess/.htpasswd files in
> directories that need protection.
> 2.Functions are added to each protected page that check user session
> variable is valid, if the page doesn't allow access.
> Is there a good reason to use either approach over another for security
> reasons ?
> Is there any other approach which may be better ?
> Tony

There are about as many solutions as you'd care to dream up. :-)

Functions added to each page (or creative use of mod_rewrite) is commonly
known as "session based" or "form based" because it doesn't use HTTP
authentication. It has the advantage that you can provide a Logout function
and you can determine the look of the login box. Basically, you get more
control. (You can't log someone out with the HTTP based authentication)

Unfortunately, session based is more involved than HTTP based.

You can actually use both if you want to. My script can work with HTTP based
authentication by working with the headers. It can then use the persons
username to lookup the data from mysql. It'll also update passwords (and
groups) so Apache can use them on other pages.

I favor session based, just because it gives you more control.

Jamie 

-- 
http://www.geniegate.com                    Custom web programming
guhzo_42@lnubb.pbz (rot13)				   User Management Solutions

Relevant Pages

  • Re: Firewall session disconnects after 2 minutes of inactivity
    ... I want to start by pointing out the following: HTTP keep-alives and anything ... involved in the early stage of the connection when the client downloads the ... The HOD server I mean. ... when the session takes place through the ISA Server? ...
    (microsoft.public.isa)
  • Re: HttpContext.Current.Session is null
    ... private static readonly CProjTest Instance = new CProjTest; ... HttpContext,as well as Session are created only for a HTTP request, ... I think you're trying to get session from a code that has nothing to do ...
    (microsoft.public.dotnet.framework.aspnet)
  • [NT] ASPSession IDs Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An ASP SessionID is allocated even if the .ASP pages sets the session ... The same ASP SessionID is shared between a HTTP and HTTPS ...
    (Securiteam)
  • [Full-disclosure] Advisory 01/2006: PHP ext/session HTTP Response Splitting Vulnerability
    ... PHP ext/session HTTP Response Splitting Vulnerability ... PHP applications using PHP5's session extension are ...
    (Full-Disclosure)
  • Re: The concept of using your own SessionID
    ... I may not have completely taken in what Aaron ... > his/her http pandemonium to try and hack other people's sessions. ... whereas the in-built session ID can be relatively invisible. ... some form of randomized identifier, whether that be the random auto-number ...
    (microsoft.public.inetserver.asp.db)