Greetings. I am designing a PHP application (yes, I have
investigated using existing applications). I cannot use HTTPS
for reasons I shall not disclose. I must authenticate users
against a database (MySQL) before granting them access. There
are two methods I am considering: HTTP authentication, and session
authentication. My webpage is spread across multiple scripts, and
the user must not have to repeatedly reauthenticate him/herself.
It does not matter, however, if the login session remains or is
destroyed when the browser closes, although destruction is
preferred.
To my knowledge, PHP only supports Basic HTTP authentication.
This would be easier, and if it matches session authentication in
security, I would prefer to use it. Session authentication would
be accomplished via a hashed password supplied in a form, sent via
POST, after which the userid or another identifying piece of data
would be stored in a session variable. My webserver does host other
websites, and I cannot adjust its configuration. It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?
Any recommendations would be greatly appreciated.
--
Anonymous
investigated using existing applications). I cannot use HTTPS
for reasons I shall not disclose. I must authenticate users
against a database (MySQL) before granting them access. There
are two methods I am considering: HTTP authentication, and session
authentication. My webpage is spread across multiple scripts, and
the user must not have to repeatedly reauthenticate him/herself.
It does not matter, however, if the login session remains or is
destroyed when the browser closes, although destruction is
preferred.
To my knowledge, PHP only supports Basic HTTP authentication.
This would be easier, and if it matches session authentication in
security, I would prefer to use it. Session authentication would
be accomplished via a hashed password supplied in a form, sent via
POST, after which the userid or another identifying piece of data
would be stored in a session variable. My webserver does host other
websites, and I cannot adjust its configuration. It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?
Any recommendations would be greatly appreciated.
--
Anonymous
Comment