Brad Hubbard wrote:
> Can I get some feedback on the conventional wisdom as to the best solution 
> for high volume registration and authentication of users accessing a secure 
> site? I have worked before with database/session based methods as well as 
> htaccess. Which is preferred? Are there alternatives?
> Thanks for the feedback,
> Brad

I guess the first thing you should help us with is defining "high 
volume".  :)  1/sec?  100 sec?  Actually, this will probably have less
impact on archictecture than hardware, but I'm always curious as to what
'high volume' is to different people (my own view has changed
a lot over the years).

".htaccess" can be made to pull data from a database, so I don't think
there's a clear distinction to be made there.  Furthermore, if
the .htaccess is using a textfile for password authentication, how many
users are in it?  1,000?  1,000,000? 1,000,000,000?  Using a database
would be more flexible, I believe, should you need to change webservers
in the future - you probably won't be moving to IIS, but hey, who knows? :)

Manuel is right about the browser authentication method not being 
'controllable'.  If you log in with a 'challenge/response' password box,
your browser will keep sending that information with every request 
(including graphics), and because it's in the browser, you have no easy 
way of forcing it to log out.  Doing 'server-side' authentication
and session handling is going to give you more flexibility.

Our initial testing has show LDAP to be a bit faster in raw lookups for 
user authentication.  Perhaps a combination of LDAP and a another 
database to store the session data would be your best bet.  If you could 
give us more info on your hardware and requirements needs we can better 
assist you.

Michael Kimsal
Guaranteed PHP support when you need it

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to