Using PHP to password protect a directory

Forum Moderators: coopster

Message Too Old, No Replies

Using PHP to password protect a directory

how secure is it?

Sari

7:42 pm on Nov 9, 2004 (gmt 0)

Hi,

I'm writting a proposal for a perspective client who wants to provide all of their clients with an individual username and password to access important documents.

Originally I was thinking of using .htaccess but I've been reading some horror stories--so I'm reconsidering.

I've found a php script which would do what they want, my concern is with security. How secure would it be?

Thanks in advance for the help! :)

mincklerstraat

7:57 pm on Nov 9, 2004 (gmt 0)

I can think of two things to consider:

if the php script is supposed to protect an entire directory, but doesn't require modification to the files inside that directory, it will probably be relying on an .htaccess file itself in the form of mod_rewrite, and should anything happen to that .htaccess file (haven't been keeping up with what's hippest in the skriptkiddieworld), your files will also be compromised. However, this might be better than normal http authentication since a smart php login script will try to keep track of unsuccessful logins and otherwise hamper brute-force attacks.

this is a bit more of a no-brainer answer: much will depend on the coding quality of your php authentication script. If you know little about coding and happen to pick a doozie (there are commercial ones too that fall in this category), you would be better off with regular http authentication via .htaccess