Forum Moderators: phranque
Yes DOWN TIME.
If you REALLY want the .htaccess style login then stick with apache as it's easier to implement out-of-the-box - with IIS you'd either need access to the server or you'd need a 3rd party component.
And on top of all that, before you even consider migrating look at which features you currently use and which features you want to use - it's rare that you'll find a solid feature that one platform has but the other lacks.
- Tony
basically, htaccess gives you a text file.
If I remember correctly it's possible to store your .htaccess login data outside the webroot - at that point the issue of "its in plaintext" is a moot because once someone can access any file outside your webroot they've compromised your machine and you've got bigger issues.
- Tony
For another enterprise level choice, Java works very well. Tomcat is free, and if you understand ASP, you'll be able to work with JSPs. You can run Tomcat on many different OSes.
Whatever you do, it's foolhardy to tie yourself to Microsoft and IIS.
Whatever you do, it's foolhardy to tie yourself to Microsoft and IIS.
I disagree. It's no more foolhardy to become an expert in MS products than it is to become an expert in other products.
There are people who get Cisco certified and can't work on 3Com products, and BEA certified techs who can't work with Windows systems.
If I had chosen ASP and an IIS specific authentication scheme, I could only run it on IIS, right? With Apache, I am not worried about security at the OS level- the worst thing that can happen is we need to re-install another OS and reboot. I currently run Apache on Windows for development, and on Linux for production.
Not having that choice means you're tied down to a platform with a history of nasty security flaws. And that is foolhardy.
There is a reason that Apache serves up nearly 70% of the websites out there :)
[news.netcraft.com...]
Both Apache and IIS offer Basic Auth out of the box and both can offer it via a programming language such as (though not exclusively) Perl, ASP, .Net, PHP etc. etc.
I think the question should be whether Basic Auth is "better" than a session initiated authorisation system?
The first subsuquent answer / question from this is "better at what?"
The answer isn't simple but ultimately when you keep asking subsequent question after question you will have a more focussed analysis of what you actually need.
Once that is done then it is time to weight the pros and cons of the varying hardware, operating systems, programming languages and authorisation mechanisms.
Now you're at this point think TCO and speed of ROI rather than anything else. This is to ensure a business case motivated decision rather than a heart or gut felt one you may regret later.
Ultimately I feel revolves around the experiences and preferences of your team.
If they have experience and preference in one platform and authorisation system compared to another the costs of cross training, development etc. need to be looked into.
Just me 2p worth and I am not going to tell you what I do here as that's what is right for me not neccesarily right for you :)
If I had chosen ASP and an IIS specific authentication scheme, I could only run it on IIS, right?
Wrong. You can run ASP on *NIX servers using the Java SunOne (formally ChiliSoft) app server.
You are not limited to IIS, but it does run native on IIS.
The 70% number for Apache is also suspect. There are statistics to prove any argument. Consider the millions of very simple sites out there on shared servers - does each site count because it's on a shared system with one Apache?
Then take major production sites. NY TIMES for example is run on ASP, probably an IIS server. Also one site. To come up with a realistic usage number you'd have to consider the number of boxes and their platform, and figure in the traffic.
My guess is that it would be closer to 50/50, with IIS slightly above Apache in the real world.
