What mechanisms do you developers typically use for preventing unauthorized
access to a web application? I'm trying to determine the best approach for
my web app. Here are the basic guidelines I need to follow:
1. We must limit access to the site to registered users.
2. We currently use BASIC authentication.
3. We currently store passwords in a database in plain text but we now wish
to encrypt them.
4. I was leaning towards using DIGEST authentication but am not convinced
it works correctly based on various articles/books I've seen.
Do you recommend any other approaches? Eventually we will be moving towards
a salted-hash scheme for encryption but we were hoping we could stand up a
site using DIGEST to provide some basic initial encryption before moving to
the stronger scheme.
Any advice would be appreciated.
|