Raymond Still wrote: > Hello; > I'm trying to figure out the best (most secure and most > user friendly, security of primary importance) way to > let a user log-in. > I am setting up a web application (database > application) that will be for private use only and I > want to keep it secure. > As I understand it, using the Apache htaccess method is > secure as there is essentially no communication without > a username and password, but it does lack a little in > flexibility and presentation. > On the other hand, PHP certainly has the edge on > flexibility and presentation, but I have questions > regarding it's security. If you look at the threads > regarding connecting to databases, you often see a > warning to the effect of: store your connection > password etc, outside of the document path in case PHP > fails and your file is displayed unprocessed. > So my question is, how can you count on PHP to log > somebody in, and prevent access to files when PHP may > fail, or the user could just go into the directory > structure and bypass security. You've smushed about 5 different security issues into one giant ball of snarled yarn. Your question is roughly allegorical to: How can you call a deadbolt secure when the home-owner could just leave their ADT off and the back window unlocked? Now, for starters: HTTP Authentication is not particularly secure over a non-SSL connection as the password is transmitted in plain-text. In fact, for *ANYTHING* where security matters for logging in and out, use SSL. After that, there's no real "win" to HTTP authentication except for that cool/annoying popup window. You've got a long way to go before you properly understand all the security issues you've jumbled together -- Took me forever, too. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
