It really depends on what you are wanting to protect, but in most cases, 
it is better to use a "homegrown" solution.

If you are interested in why I say this, read on ...

HTTP authentication has two breeds, basic and digest. With basic, the 
*authentication* credentials (e.g., name and password) are passed in 
clear text for every single request to a protected resource (so, 
probably for every request for a page in your application). So, even if 
you do not use SSL, using your own authentication and then switching to 
PHP sessions only exposes the user's authentication credentials once. 
There are other disadvantages as well, such as depending on the client's 
browser for things like timeout, removing the control from yourself.

Digest authentication addresses the major concern of exposed 
authentication credentials as well as many other minor ones, but support 
for it is inconsistent, and only newer browsers are going to have good 
support. So, while it is definitely a better alternative to basic 
authentication, it is not a good option for most people.

Using your own does not require much work if you don't want it to. Even 
a simple username and password collection combined with the "out of the 
box" PHP sessions solution is probably more suitable in most cases than 
HTTP's native authentication.

Now, arguments for HTTP authentication would weigh heavier for static 
resources such as images and HTML files that you want to protect without 
relying on server-side code (for example, in cases where there is no 
support for PHP, mod_perl, etc.).

That's my opinion anyway ...


Jackson Miller wrote:

>I am curious what method of authentication is preferred by people on
>this list.  Are you using PHP scripts for authentication and limiting
>access, or are you using HTTP header info.  Maybe it is best to use

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to