Any time I have made a style of web page that requires logging in, I have always simply used Stored Database Values to determined who was logged in and such.

I was recently told to use .htaccess files. Is there any downfall to one vs the other? I persoanlly went database because I can litterally pull my web domain from PHP to PHP with no issues at all.

Is there really a huge differencein security?

Bumper

Here's a really good run-down of how .htaccess files work and when to (and especially when not to) use them: http://httpd.apache.org/docs/1.3/howto/htaccess.html.

Here's a really good run-down of how .htaccess files work and when to (and especially when not to) use them: http://httpd.apache.org/docs/1.3/howto/htaccess.html.

Thanks, and I did RTFM (Read the F****** Manual)!! I SWEAR!! That sort of answer some related questions, but from a hacker stand point, is running with a databased approach horibly in secure? Prehapse there is an ultra super duper secure way of doing this that I am not even in the knowing of! ?:confused:

Bopper:confused:

Java is the most secure way. :p

What kind of security do you want? There's all kinds. You can always use .htaccess AND DB-based login. Couldn't hurt.

Anything is only going to be as secure as the program driving it, so if there are more Apache vulnerabilities than PHP/mysql (or whatever) vulnerabilities, then maybe you shouldn't use Apache. And vice versa. Things like buffer overflow attacks against Apache vs. SQL injection to compromise your DB, I mean. Though it would be hard (mostly impossible) to actually count them, and severity matters as much as quantity.

Apache has the benefit of being widely tested. If you're using DB-based authentication, you likely rolled your own form input and password parser, right? And the password is input via POST or GET? If so you're more likely carrying unfound logic bugs, or subtle things that can b0rk PHP/Perl/your script of choice. What if someone throws 4MB worth of GET data at your script? Will it choke? What about if they enter tons of NULL characters, quotes, backslashes and newlines as their username? What if they send a thousand password requests simultaneously? PHP often offers up all kinds of nice info about your database any time you can get it to crash, for example. Things like that. On the flip side, if you're using something non-standard and home-brewed, then you have obscurity going for you, so any widespread IIS-targetting scripts that may exist won't hurt you. For what it's worth.

Then there's the security of the password itself. If you use "admin/password" as your username/password, it doesn't really matter what the mechanism of login is; people will just guess it. If your users are stupid, then you're screwed no matter how nice your code is. Do you have a good password policy (assuming you have multiple users)? Are you enforcing password length so someone can't dictionary-attack you? (Though enforcing password length also has its bad side.)

Are you authenticating over an encrypted connection? If not, then it doesn't matter how good your passwords OR backend are; someone can do some traffic sniffing and there you go. If so, there's different quality of encryption schemes to take into account.

How's the security of the machine you're logging in from? Can someone install a key-logger on it? Or on any of your users' machines? What if your users are all using an unpatched version of Windows ME and install all kinds of trojans and spyware and adware?

Security is hard. It's just a matter of what you're willing to settle for. Although personally I'd be more worried about things like people writing their passwords on Post-It notes and putting it next to their computer or any number of other issues than I would about DB vs. .htaccess authentication.

Very good, robust, overview. I will take it basically to mean that my XML database is indeed plenty safe and portable :D The reason I asked, is because I Was being critisized for using such a method, and I figure and XML database has gotta be about the safest - the only way to really get in is to navigate a custom ring of secured directories, and if someone has done that much, it is fair to say that they have comprimised my very web server :(

I thought this way was adventatgeous, as they cannot directly inject as easily as they could a mysql (etc) database, and the buffer overflow is simply flagged by apache. I wanted to stay away from .htaccess to keep the system completely portable (it can be run off any PHP 5 enabled server, for instance) and just to over kill the drag and drop portability.

Just needed a pat on the back and a cigar of reinsurance, thanks fellas :)

Oh yeah, and Java is never the answer :mad2:

Bipper