• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 263
  • Last Modified:

Why not htaccess when using SSL?

I notice that most sites don't use the basic authentication using htaccess when using SSL. Can you please tell me why I should use htaccess instead of doing my own home grown solution?

Finally what is the best routines available for managing user registration?
0
janesmith
Asked:
janesmith
  • 2
  • 2
1 Solution
 
csiCommented:
First of all, what type of server are you using? I have recently found out that .htaccess does not work with microsoft IIS, much to my chagrin.

Previously, with Unix, we had used basic authentication using .htaccess and found our system to be very satisfactory.

We used a system of cgi scripts to take client info from HTML forms and place it into a "password database", which was really nothing more than a text file. When each user logged in, the script would match their user_id and password with that in the password database and decide whether to allow/deny them access. Pretty straight forward.

Other scripts allowed users to renew, delete, or change their subscription info.
0
 
janesmithAuthor Commented:
I use apache and ssl under apache. So why do so few vendors using SSL not use basic authentication? For example, your average
brokerage houses like fidelity.com use ssl but NOT basic authentication. Instead they use some other approach. Why is this??
0
 
csiCommented:
Well, that I don't have a definite answer. But I can give you a couple of possible reasons:

1) They could use an NT server, which I have found out does NOT support .htaccess. The only way to use basic authentication with NT is to give every web site subscriber access to your NT user database, which isn't a pleasant feeling. Kinda makes you want to find another way.

2) Basic authentication, while neat and tidy, is simply a login box. You can't do anything special with it, such as adding graphics, text, banner ads, or links to your login page.

3) Basic authentication and SSL are mutually exclusive. It's not an all or nothing deal. If you use one, there's no requirement to use the other.

4) Basic authentication is just that... basic. The password information isn't encrypted to the degree of SSL. However, for the vast majority of its applications, basic authentication works just fine. If you are running a CIA or NASA site you might disagree, but allowing registered subscribers to see a catalog on your site doesn't require 128-bit encryption - but processing their credit card purchases does.

0
 
notanexpertCommented:
Here's my 2 cents:

1. Basic authentication is Ugly. Period. It looks primitive, and many companies feel it looks unprofessional.

2. You cannot keep state info across two domain names with basic authentication. If I am on one server, authenticated by basic authentication, and I want to go on another server, even if it's owned by the same company, it is impossible to set them up so I won't have to log in again to the second server. Since many companies will use different machines and domain names to perform different tasks (ie: one does .asp or NAS, one'll do commerce stuff, one feeds media .. etc ) you would have to login to more than one computer during your 'stay' at that site. Using custom solutions allow for greater flexibilty, and more transparency for the client and/or user.
0
 
notanexpertCommented:
Unless you are using extremely senstive data on the server, there's nothing wrong with writing a little perl app or servelet or whatever that will query some textfile in a protected directory. If you do it in perl, the cgi will run under the same user as your web server, and as long as you have the permissions set up on the textfile, all reading/writing to the file will/can only be performed by that cgi.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now