February 28th, 2002, 03:59 PM
Website user authentication
I'd like to hear about people's experience and get their recommendations on how I should perform user authentication for a site I am developing.
I have developed several sites with password-protected areas that require the user to log-in with username and password. My script (PHP or ColdFusion) then queries a database to verify that a valid username-password pair was entered. If so a cookie is sent to the client and the presence of the cookie is then verified before sending access-restricted content to the browser.
That seems to work fairly well. I'm sure it's not all that secure, but I'm not trying to protect credit card numbers or anything like that either.
My main question is if you think I should continue using that system or if HTTP Basic Authentication would be better. I'd like to hear about people's experience with Basic Auth, how difficult it is to implement, etc.
Thanks in advance.
February 28th, 2002, 04:48 PM
http basic auth is just as secure as a good php script. but it prevents you from errors in your php scripts, since it is executed before your script.
if you are dealing with cc-numbers, you should definitively use SSL!
http basic auth is quite easy to implement. but talking about security, there is no way around encryption especially when transmitting credit card infos. to be honest, i donīt think it is possible to secure credit cards at all.
where i live (germany), credit cards companys have to take the responsibility for the security, so this is no issue here. but law forces you to use SSL.