HTTP Auth vs custom login page

Forum Moderators: phranque

Message Too Old, No Replies

HTTP Auth vs custom login page

Why not just use HTTP Auth

netboy871

4:57 pm on Sep 20, 2002 (gmt 0)

I've seen many many sites go to extreme effort to write their own user authentication routines. The trouble is a lot of them fall apart if the browser refuses cookies. Using a database for session management can be problematic too.

My question is this: Is there some reason more sites don't use .htaccess and HTTP Auth for their user authentication? Is it insecure? Is it too easy to spoof?

If it's a matter of "right tool for the job", when should you use custom authentication instead of .htaccess?

jatar_k

6:36 pm on Sep 20, 2002 (gmt 0)

Welcome to WebmasterWorld [webmasterworld.com] netboy871

It always seems to depend on the situation. How many customers want the standard grey popup when they can have a lovely login page that has the look and feel of the site?

I use many diiferent types of logins depending on what I am doing. There are so many ways to do it that most often it depends on customer/situation/what is being protected.

I would be happy using htaccess and groups for everything but that isn't always a choice.

amoore

7:12 pm on Sep 20, 2002 (gmt 0)

The main reasons people don't like using it seem to be:

ugly login pop-up
You can't (easily?) log people out
You have to store the login information in a flat file

For those reasons and others, I moved away from the method for a while and used things like Apache::AuthCookie. When I learned to write mod_perl modules, I learned that you can modify the default behaviour and make the basic authentication do all that stuff and more. You end up depending on the support for basic authentication that's built into almost all browsers, but also add all the advanced features that you find in other authentication and authorization schemes.

For more information, see the mod_perl developer's cookbook (section 13.7)