It really depends on what you are wanting to protect, but in most cases,
it is better to use a "homegrown" solution.
If you are interested in why I say this, read on ...
HTTP authentication has two breeds, basic and digest. With basic, the
*authentication* credentials (e.g., name and password) are passed in
clear text for every single request to a protected resource (so,
probably for every request for a page in your application). So, even if
you do not use SSL, using your own authentication and then switching to
PHP sessions only exposes the user's authentication credentials once.
There are other disadvantages as well, such as depending on the client's
browser for things like timeout, removing the control from yourself.
Digest authentication addresses the major concern of exposed
authentication credentials as well as many other minor ones, but support
for it is inconsistent, and only newer browsers are going to have good
support. So, while it is definitely a better alternative to basic
authentication, it is not a good option for most people.
Using your own does not require much work if you don't want it to. Even
a simple username and password collection combined with the "out of the
box" PHP sessions solution is probably more suitable in most cases than
HTTP's native authentication.
Now, arguments for HTTP authentication would weigh heavier for static
resources such as images and HTML files that you want to protect without
relying on server-side code (for example, in cases where there is no
support for PHP, mod_perl, etc.).
That's my opinion anyway ...
Jackson Miller wrote:
>I am curious what method of authentication is preferred by people on
>this list. Are you using PHP scripts for authentication and limiting
>access, or are you using HTTP header info. Maybe it is best to use
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php