Jackson, It really depends on what you are wanting to protect, but in most cases, it is better to use a "homegrown" solution.
If you are interested in why I say this, read on ... HTTP authentication has two breeds, basic and digest. With basic, the *authentication* credentials (e.g., name and password) are passed in clear text for every single request to a protected resource (so, probably for every request for a page in your application). So, even if you do not use SSL, using your own authentication and then switching to PHP sessions only exposes the user's authentication credentials once. There are other disadvantages as well, such as depending on the client's browser for things like timeout, removing the control from yourself. Digest authentication addresses the major concern of exposed authentication credentials as well as many other minor ones, but support for it is inconsistent, and only newer browsers are going to have good support. So, while it is definitely a better alternative to basic authentication, it is not a good option for most people. Using your own does not require much work if you don't want it to. Even a simple username and password collection combined with the "out of the box" PHP sessions solution is probably more suitable in most cases than HTTP's native authentication. Now, arguments for HTTP authentication would weigh heavier for static resources such as images and HTML files that you want to protect without relying on server-side code (for example, in cases where there is no support for PHP, mod_perl, etc.). That's my opinion anyway ... Chris Jackson Miller wrote: >I am curious what method of authentication is preferred by people on >this list. Are you using PHP scripts for authentication and limiting >access, or are you using HTTP header info. Maybe it is best to use >both. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
