Member area security: Basic Authentication vs PHP session variables?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • dcortez
    DINO CORTEZ™
    • Jun 2003
    • 2145

    #1

    Tech Member area security: Basic Authentication vs PHP session variables?

    This is for a Linux/Apache environment...

    Is anyone using Basic Authentication for password protection of membership areas?

    Twenty years ago, I was using Basic Authentication, but the 8 char username and password length limits won't cut it today.

    I understand that both username and passwords can be substantially longer and more contemporary encryption algorithms are now supported by Apache.

    Any suggestions, or words of wisdom?

    Thanks!
  • k0nr4d
    Confirmed User
    • Aug 2006
    • 9231

    #2
    There's a mix of this still, plenty still using http authentication.

    If using php sessions you need to use URL signing/hashing for the video files, because they won't be protected otherwise.
    Mechanical Bunny Media
    Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

    Comment

    • dcortez
      DINO CORTEZ™
      • Jun 2003
      • 2145

      #3
      Originally posted by k0nr4d
      There's a mix of this still, plenty still using http authentication.

      If using php sessions you need to use URL signing/hashing for the video files, because they won't be protected otherwise.
      Thanks for that.

      I'm actually inclined to use Basic Authentication, and I just needed some assurances that it has not been totally abandoned for security limitations.

      Then, there's the issue of which encryption scheme to use...

      Comment

      • k0nr4d
        Confirmed User
        • Aug 2006
        • 9231

        #4
        Originally posted by dcortez
        Thanks for that.

        I'm actually inclined to use Basic Authentication, and I just needed some assurances that it has not been totally abandoned for security limitations.

        Then, there's the issue of which encryption scheme to use...

        It has not been abandoned, and there are no security issues with it other then that it doesn't natively offer any protection against bruteforce. If you are using Apache 2.4, then the algo you want to use to generate the passwords is bcrypt. None of the algos are INSECURE in practice. Google cracked SHA1 but a single phrase would apparently take a single GPU 110 years to crack so in practice no one is really gonna get through it. The only really insecure hash is unsalted MD5 because it can be reversed using rainbow tables.
        Mechanical Bunny Media
        Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

        Comment

        • dcortez
          DINO CORTEZ™
          • Jun 2003
          • 2145

          #5
          Originally posted by k0nr4d
          It has not been abandoned, and there are no security issues with it other then that it doesn't natively offer any protection against bruteforce. If you are using Apache 2.4, then the algo you want to use to generate the passwords is bcrypt. None of the algos are INSECURE in practice. Google cracked SHA1 but a single phrase would apparently take a single GPU 110 years to crack so in practice no one is really gonna get through it. The only really insecure hash is unsalted MD5 because it can be reversed using rainbow tables.
          Thank-you. I really appreciate all this information. It will save me a lot of time.

          Comment

          Working...