Menu
Given a simple login system (register and login), which of the two choices is more secure:
User info consists purely of username-password.
Of course, best-case is assumed for both options: MySQL injections are accounted for, password is md5/sha1/md5+sha1/any other means encrypted, etc.
In case you're wondering, in the first case, php will add user credentials to the htpasswd file. (see this question for an example implementation.)
878
htaccess and . htpasswd are actually yielding a screen for your user name and password, it is secure. If the combination of the user name and password isn't valid, Apache will return a HTTP 403: Forbidden header, which means the request has never been passed to PHP.
Because mistakes happen, and the . htpasswd file is a big liability. Even if you're using HTTPS, exposure of your . htpasswd file means that your passwords can be easily cracked via brute-force attacks.
htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine.
htpasswd, a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server.
I'd say always the login form (by which I assume you mean standard session-based authentication).
.htaccess authentication transmits the password on every request (Of course, SSL would help here)
.htaccess authentication doesn't have any rate limiting / brute-force protection by default in Apache
Logging out from .htaccess authentication is a bitch
96
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
