Solved

Why not htaccess when using SSL?

Posted on 1998-07-23
5
216 Views
Last Modified: 2010-03-05
I notice that most sites don't use the basic authentication using htaccess when using SSL. Can you please tell me why I should use htaccess instead of doing my own home grown solution?

Finally what is the best routines available for managing user registration?
0
Comment
Question by:janesmith
  • 2
  • 2
5 Comments
 

Expert Comment

by:csi
Comment Utility
First of all, what type of server are you using? I have recently found out that .htaccess does not work with microsoft IIS, much to my chagrin.

Previously, with Unix, we had used basic authentication using .htaccess and found our system to be very satisfactory.

We used a system of cgi scripts to take client info from HTML forms and place it into a "password database", which was really nothing more than a text file. When each user logged in, the script would match their user_id and password with that in the password database and decide whether to allow/deny them access. Pretty straight forward.

Other scripts allowed users to renew, delete, or change their subscription info.
0
 

Author Comment

by:janesmith
Comment Utility
I use apache and ssl under apache. So why do so few vendors using SSL not use basic authentication? For example, your average
brokerage houses like fidelity.com use ssl but NOT basic authentication. Instead they use some other approach. Why is this??
0
 

Expert Comment

by:csi
Comment Utility
Well, that I don't have a definite answer. But I can give you a couple of possible reasons:

1) They could use an NT server, which I have found out does NOT support .htaccess. The only way to use basic authentication with NT is to give every web site subscriber access to your NT user database, which isn't a pleasant feeling. Kinda makes you want to find another way.

2) Basic authentication, while neat and tidy, is simply a login box. You can't do anything special with it, such as adding graphics, text, banner ads, or links to your login page.

3) Basic authentication and SSL are mutually exclusive. It's not an all or nothing deal. If you use one, there's no requirement to use the other.

4) Basic authentication is just that... basic. The password information isn't encrypted to the degree of SSL. However, for the vast majority of its applications, basic authentication works just fine. If you are running a CIA or NASA site you might disagree, but allowing registered subscribers to see a catalog on your site doesn't require 128-bit encryption - but processing their credit card purchases does.

0
 
LVL 1

Accepted Solution

by:
notanexpert earned 70 total points
Comment Utility
Here's my 2 cents:

1. Basic authentication is Ugly. Period. It looks primitive, and many companies feel it looks unprofessional.

2. You cannot keep state info across two domain names with basic authentication. If I am on one server, authenticated by basic authentication, and I want to go on another server, even if it's owned by the same company, it is impossible to set them up so I won't have to log in again to the second server. Since many companies will use different machines and domain names to perform different tasks (ie: one does .asp or NAS, one'll do commerce stuff, one feeds media .. etc ) you would have to login to more than one computer during your 'stay' at that site. Using custom solutions allow for greater flexibilty, and more transparency for the client and/or user.
0
 
LVL 1

Expert Comment

by:notanexpert
Comment Utility
Unless you are using extremely senstive data on the server, there's nothing wrong with writing a little perl app or servelet or whatever that will query some textfile in a protected directory. If you do it in perl, the cgi will run under the same user as your web server, and as long as you have the permissions set up on the textfile, all reading/writing to the file will/can only be performed by that cgi.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Many time we need to work with multiple files all together. If its windows system then we can use some GUI based editor to accomplish our task. But what if you are on putty or have only CLI(Command Line Interface) as an option to  edit your files. I…
I have been pestered over the years to produce and distribute regular data extracts, and often the request have explicitly requested the data be emailed as an Excel attachement; specifically Excel, as it appears: CSV files confuse (no Red or Green h…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now