httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] Reposting of Question: Setting Up User Authentication For An Entire Site
Date Fri, 15 Aug 2003 14:26:40 GMT
>-----Original Message-----
>From: Robert Andersson []
>* Are you satisfied with the very low security inherent in Basic
>  Authentication? If sensitive information is going to travel 
>the pipe, you might want to use SSL in addition to Basic Auth.

Just to be clear about this point:

- Basic Auth is used to restrict access to chosen users. A typical use
is to limit access to a members-only section of a website. There is no
encryption of the data stream.

- SSL is used to encrypt the data stream between the client and the
server. It prevents a snooper on the line from eavesdropping. This is
why it is necessary to use SSL if you are going to have people
submitting sensitive information like credit card numbers. SSL does not
secure a site against unauthorised access.

If you put the two together, the main advantage you get is that when the
user types in the password, it is transmitted in an encrypted packet and
so no-one can snoop on it.

By "very low security", Robert is pointing out that the password is
transmitted as a base-64 encoded word - i.e. not encrypted at all. Also,
there is no protection against brute force hacks (like trying 100000
logins at high speed with dictionary passwords) and no alarms are
generated if there are a lot of unsuccessful login attempts (though you
could browse the logs for this).

If you're protecting a site that contains information that people are
supposed to pay to see and you don't mind if someone occasionally gets
in for free, then Basic Auth is probably OK. But I wouldn't use it if,
by gaining access, an intruder gets to view private data about your
clients because that would leave you open to liability claims.

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

So the two mechanisms are really orthogonal to each other. 
>* If you are going to have a lot (100+) user, it would be wise to use
>  another method.
>* As I see it, there is no reason for using an .htaccess file; 
>configure the
>  authentication directly in httpd.conf and refer to a 
>password file (which
>  is not an access file, many seems to mix the two).
>Robert Andersonn
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message