durusmail: quixote-users: authentication
authentication
2001-12-18
Mikhail Sobolev
2001-12-18
Greg Ward
authentication
Greg Ward
2001-12-18
On 18 December 2001, Mikhail Sobolev said:
> What is the general feeling about using http authentication
> (authorization) instead of form/cookies approach?

I don't think there's anything Quixote-specific I can say, since Quixote
doesn't provide support for either style of authentication.  (Except for
a Session class with a 'user' attribute that you may use as you see
fit.)

Obviously, you don't use "basic" HTTP authentication if security
matters, since the password can be sniffed as easily as if you put it
unencrypted in email or a hidden form element.  I know very little about
HTTP "digest" authentication; on the one hand, it can't be any *less*
secure than "basic", but I don't know how many browsers implement it.

I suspect the reason 90% of web sites with authentication use the
form-and-cookie is that you have more control.  You control exactly what
the user is asked for, and what they are told when they screw up.  You
are free to make your authentication subsystem as (in)secure as you
like, within the bounds of HTTP-over-SSL.

        Greg
--
Greg Ward - software developer                gward@mems-exchange.org
MEMS Exchange                            http://www.mems-exchange.org
reply