We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Why not htaccess when using SSL?

janesmith asked
Medium Priority
Last Modified: 2010-03-05
I notice that most sites don't use the basic authentication using htaccess when using SSL. Can you please tell me why I should use htaccess instead of doing my own home grown solution?

Finally what is the best routines available for managing user registration?
Watch Question


First of all, what type of server are you using? I have recently found out that .htaccess does not work with microsoft IIS, much to my chagrin.

Previously, with Unix, we had used basic authentication using .htaccess and found our system to be very satisfactory.

We used a system of cgi scripts to take client info from HTML forms and place it into a "password database", which was really nothing more than a text file. When each user logged in, the script would match their user_id and password with that in the password database and decide whether to allow/deny them access. Pretty straight forward.

Other scripts allowed users to renew, delete, or change their subscription info.


I use apache and ssl under apache. So why do so few vendors using SSL not use basic authentication? For example, your average
brokerage houses like fidelity.com use ssl but NOT basic authentication. Instead they use some other approach. Why is this??

Well, that I don't have a definite answer. But I can give you a couple of possible reasons:

1) They could use an NT server, which I have found out does NOT support .htaccess. The only way to use basic authentication with NT is to give every web site subscriber access to your NT user database, which isn't a pleasant feeling. Kinda makes you want to find another way.

2) Basic authentication, while neat and tidy, is simply a login box. You can't do anything special with it, such as adding graphics, text, banner ads, or links to your login page.

3) Basic authentication and SSL are mutually exclusive. It's not an all or nothing deal. If you use one, there's no requirement to use the other.

4) Basic authentication is just that... basic. The password information isn't encrypted to the degree of SSL. However, for the vast majority of its applications, basic authentication works just fine. If you are running a CIA or NASA site you might disagree, but allowing registered subscribers to see a catalog on your site doesn't require 128-bit encryption - but processing their credit card purchases does.

Unlock this solution and get a sample of our free trial.
(No credit card required)
Unless you are using extremely senstive data on the server, there's nothing wrong with writing a little perl app or servelet or whatever that will query some textfile in a protected directory. If you do it in perl, the cgi will run under the same user as your web server, and as long as you have the permissions set up on the textfile, all reading/writing to the file will/can only be performed by that cgi.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.