HTTP Authentication .vs. Session Authentication

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Greetings. I am designing a PHP application (yes, I have
investigated using existing applications). I cannot use HTTPS
for reasons I shall not disclose. I must authenticate users
against a database (MySQL) before granting them access. There
are two methods I am considering: HTTP authentication, and session
authentication. My webpage is spread across multiple scripts, and
the user must not have to repeatedly reauthenticate him/herself.
It does not matter, however, if the login session remains or is
destroyed when the browser closes, although destruction is

To my knowledge, PHP only supports Basic HTTP authentication.
This would be easier, and if it matches session authentication in
security, I would prefer to use it. Session authentication would
be accomplished via a hashed password supplied in a form, sent via
POST, after which the userid or another identifying piece of data
would be stored in a session variable. My webserver does host other
websites, and I cannot adjust its configuration. It seems to me,
however, that Basic HTTP authentication sends the username and
password in plaintext at the opening of every page. Is this true?

Any recommendations would be greatly appreciated.


Re: HTTP Authentication .vs. Session Authentication

Anonymous wrote:
Quoted text here. Click to load it

This true, although the credentials are base64 encoded. Sending the
credentials to satisfy Basic authentication would be done as follows:

$user = 'user';
$pass = 'pass';

header("Authorization: Basic " . base64endode("$user:$pass"));

Using session based authentication will only be saver because the
credentials are send just once. However, the cookie header, which contains
the session id, is send in plain text also each time a request is made.

If you really care about security, SSL tunneling would be the way to go.


Site Timeline