Brad Hubbard wrote: > Can I get some feedback on the conventional wisdom as to the best solution > for high volume registration and authentication of users accessing a secure > site? I have worked before with database/session based methods as well as > htaccess. Which is preferred? Are there alternatives? > > Thanks for the feedback, > Brad
I guess the first thing you should help us with is defining "high volume". :) 1/sec? 100 sec? Actually, this will probably have less impact on archictecture than hardware, but I'm always curious as to what 'high volume' is to different people (my own view has changed a lot over the years). ".htaccess" can be made to pull data from a database, so I don't think there's a clear distinction to be made there. Furthermore, if the .htaccess is using a textfile for password authentication, how many users are in it? 1,000? 1,000,000? 1,000,000,000? Using a database would be more flexible, I believe, should you need to change webservers in the future - you probably won't be moving to IIS, but hey, who knows? :) Manuel is right about the browser authentication method not being 'controllable'. If you log in with a 'challenge/response' password box, your browser will keep sending that information with every request (including graphics), and because it's in the browser, you have no easy way of forcing it to log out. Doing 'server-side' authentication and session handling is going to give you more flexibility. Our initial testing has show LDAP to be a bit faster in raw lookups for user authentication. Perhaps a combination of LDAP and a another database to store the session data would be your best bet. If you could give us more info on your hardware and requirements needs we can better assist you. Michael Kimsal http://www.phphelpdesk.com Guaranteed PHP support when you need it 734-480-9961 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
