[nycphp-talk] NEW PHundamentals Question - HTTP Authentication
Matthew Terenzio
webmaster at localnotion.com
Sat Oct 23 16:31:46 EDT 2004
On Oct 23, 2004, at 1:53 PM, inforequest wrote:
> It seems we have some differences of opinion.
>
> Matthew Terenzio says:
>
> "While it is a step up from clear text, It should be made abundantly
> clear that it is not for purposes of hiding sensitive data from
> hackers. "
>
> while Ophir Prusak says:
>
> "2. HTTP Authentication is probably more secure than anything you'll
> ever write yourself. Especially if you implement it at the server
> level (.htaccess) you won't have to worry as much about security holes
> in your code :)"
>
>
> Do you two care to comment further?
Well, in my case it is certainly more secure than anything I'd write.
(short pause and burst of laughter)
I might be wrong, but my understanding is:
1. basic auth sends password in clear
2. sends them every request making it easy for sniffers
3, digest auth does not send password but content can still be swiped
from: http://www.ietf.org/rfc/rfc2617.txt
"The Digest Access Authentication scheme is not intended to be a
complete answer to the need for security in the World Wide Web. This
scheme provides no encryption of message content. The intent is
simply to create an access authentication method that avoids the most
serious flaws of Basic authentication."
also:
http://httpd.apache.org/docs/howto/auth.html#basiccaveat
>
> -=john
>
>
> _______________________________________________
> New York PHP Talk
> Supporting AMP Technology (Apache/MySQL/PHP)
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.newyorkphp.org
More information about the talk
mailing list