Why not htaccess when using SSL?

Posted on 1998-07-23
Last Modified: 2010-03-05
I notice that most sites don't use the basic authentication using htaccess when using SSL. Can you please tell me why I should use htaccess instead of doing my own home grown solution?

Finally what is the best routines available for managing user registration?
Question by:janesmith
  • 2
  • 2

Expert Comment

ID: 1208675
First of all, what type of server are you using? I have recently found out that .htaccess does not work with microsoft IIS, much to my chagrin.

Previously, with Unix, we had used basic authentication using .htaccess and found our system to be very satisfactory.

We used a system of cgi scripts to take client info from HTML forms and place it into a "password database", which was really nothing more than a text file. When each user logged in, the script would match their user_id and password with that in the password database and decide whether to allow/deny them access. Pretty straight forward.

Other scripts allowed users to renew, delete, or change their subscription info.

Author Comment

ID: 1208676
I use apache and ssl under apache. So why do so few vendors using SSL not use basic authentication? For example, your average
brokerage houses like use ssl but NOT basic authentication. Instead they use some other approach. Why is this??

Expert Comment

ID: 1208677
Well, that I don't have a definite answer. But I can give you a couple of possible reasons:

1) They could use an NT server, which I have found out does NOT support .htaccess. The only way to use basic authentication with NT is to give every web site subscriber access to your NT user database, which isn't a pleasant feeling. Kinda makes you want to find another way.

2) Basic authentication, while neat and tidy, is simply a login box. You can't do anything special with it, such as adding graphics, text, banner ads, or links to your login page.

3) Basic authentication and SSL are mutually exclusive. It's not an all or nothing deal. If you use one, there's no requirement to use the other.

4) Basic authentication is just that... basic. The password information isn't encrypted to the degree of SSL. However, for the vast majority of its applications, basic authentication works just fine. If you are running a CIA or NASA site you might disagree, but allowing registered subscribers to see a catalog on your site doesn't require 128-bit encryption - but processing their credit card purchases does.


Accepted Solution

notanexpert earned 70 total points
ID: 1208678
Here's my 2 cents:

1. Basic authentication is Ugly. Period. It looks primitive, and many companies feel it looks unprofessional.

2. You cannot keep state info across two domain names with basic authentication. If I am on one server, authenticated by basic authentication, and I want to go on another server, even if it's owned by the same company, it is impossible to set them up so I won't have to log in again to the second server. Since many companies will use different machines and domain names to perform different tasks (ie: one does .asp or NAS, one'll do commerce stuff, one feeds media .. etc ) you would have to login to more than one computer during your 'stay' at that site. Using custom solutions allow for greater flexibilty, and more transparency for the client and/or user.

Expert Comment

ID: 1208679
Unless you are using extremely senstive data on the server, there's nothing wrong with writing a little perl app or servelet or whatever that will query some textfile in a protected directory. If you do it in perl, the cgi will run under the same user as your web server, and as long as you have the permissions set up on the textfile, all reading/writing to the file will/can only be performed by that cgi.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
perl script help 12 104
hard perl script 16 158
Perl - Mawk 2 96
Formatting stings with pack and printf in perl 5 72
I've just discovered very important differences between Windows an Unix formats in Perl,at least 5.xx.. MOST IMPORTANT: Use Unix file format while saving Your script. otherwise it will have ^M s or smth likely weird in the EOL, Then DO NOT use m…
There are many situations when we need to display the data in sorted order. For example: Student details by name or by rank or by total marks etc. If you are working on data driven based projects then you will use sorting techniques very frequently.…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question