Session login vs HTTP authentication. Advantages Disadvantages

Question

I noticed a few big sites use HTTP authentication.

Im wondering what the main difference is between this and session based logins are.

Any advantages or disadvantages.

Any explanation and or suggestions would be helpful as i'm trying to decide which login to use for my site.

thanks

Answer 1

The biggest disadvantage of HTTP Authentication, from a user's point of view, is probably the fact that you get an ugly looking dialog box, and not a nice form integrated into your website.

You also cannot include any link to a "register" form, or some help, nor some "I've forgotten my password" information.

For some kind of back office, maybe http authentication is OK ; but I have some doubts about its usage for some public front office.

Another inconvenient is that there is no "auto-logout" functionnality, with HTTP Authentication : with sessions, the session expires after some time, or the cookie is automatically deleted when the user closes his browser... But not with HTTP Authentication ; so, on this point, HTTP Authentication seems less secure.

Answer 2

http-authentication is sent with each single request. This means that the request remains autonomous of any previous requests (also known as being stateless). Since http has been designed as a stateless protocol, there are a number of technical benefits to keeping with this style. Another big plus of using http-authentication is that it is standardised. Any http-client knows how to deal with http-authentication, so you make interoperability a lot simpler.

The main reason why people use session-based logins are, in my experience:

• Aesthetics. You can't style the http-authentication box.
• Usability. You can't put descriptive text or a link to "forgotten password" or "create new account" in the box.

In addition, a lot of people don't care about or outright prefer to sabotage alternative clients (such as screen scrapers and other automated clients).