Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Why not htaccess when using SSL?

Posted on 1998-07-23
Medium Priority
Last Modified: 2010-03-05
I notice that most sites don't use the basic authentication using htaccess when using SSL. Can you please tell me why I should use htaccess instead of doing my own home grown solution?

Finally what is the best routines available for managing user registration?
Question by:janesmith
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 1208675
First of all, what type of server are you using? I have recently found out that .htaccess does not work with microsoft IIS, much to my chagrin.

Previously, with Unix, we had used basic authentication using .htaccess and found our system to be very satisfactory.

We used a system of cgi scripts to take client info from HTML forms and place it into a "password database", which was really nothing more than a text file. When each user logged in, the script would match their user_id and password with that in the password database and decide whether to allow/deny them access. Pretty straight forward.

Other scripts allowed users to renew, delete, or change their subscription info.

Author Comment

ID: 1208676
I use apache and ssl under apache. So why do so few vendors using SSL not use basic authentication? For example, your average
brokerage houses like fidelity.com use ssl but NOT basic authentication. Instead they use some other approach. Why is this??

Expert Comment

ID: 1208677
Well, that I don't have a definite answer. But I can give you a couple of possible reasons:

1) They could use an NT server, which I have found out does NOT support .htaccess. The only way to use basic authentication with NT is to give every web site subscriber access to your NT user database, which isn't a pleasant feeling. Kinda makes you want to find another way.

2) Basic authentication, while neat and tidy, is simply a login box. You can't do anything special with it, such as adding graphics, text, banner ads, or links to your login page.

3) Basic authentication and SSL are mutually exclusive. It's not an all or nothing deal. If you use one, there's no requirement to use the other.

4) Basic authentication is just that... basic. The password information isn't encrypted to the degree of SSL. However, for the vast majority of its applications, basic authentication works just fine. If you are running a CIA or NASA site you might disagree, but allowing registered subscribers to see a catalog on your site doesn't require 128-bit encryption - but processing their credit card purchases does.


Accepted Solution

notanexpert earned 140 total points
ID: 1208678
Here's my 2 cents:

1. Basic authentication is Ugly. Period. It looks primitive, and many companies feel it looks unprofessional.

2. You cannot keep state info across two domain names with basic authentication. If I am on one server, authenticated by basic authentication, and I want to go on another server, even if it's owned by the same company, it is impossible to set them up so I won't have to log in again to the second server. Since many companies will use different machines and domain names to perform different tasks (ie: one does .asp or NAS, one'll do commerce stuff, one feeds media .. etc ) you would have to login to more than one computer during your 'stay' at that site. Using custom solutions allow for greater flexibilty, and more transparency for the client and/or user.

Expert Comment

ID: 1208679
Unless you are using extremely senstive data on the server, there's nothing wrong with writing a little perl app or servelet or whatever that will query some textfile in a protected directory. If you do it in perl, the cgi will run under the same user as your web server, and as long as you have the permissions set up on the textfile, all reading/writing to the file will/can only be performed by that cgi.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Microsoft Windows, if  when you click or type the name of a .pl file, you get an error "is not recognized as an internal or external command, operable program or batch file", then this means you do not have the .pl file extension associated with …
A year or so back I was asked to have a play with MongoDB; within half an hour I had downloaded (http://www.mongodb.org/downloads),  installed and started the daemon, and had a console window open. After an hour or two of playing at the command …
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Six Sigma Control Plans

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question