.htaccess vs Login Page

software development

#1

I’ve searched through the forums and tried to google my answer, but I can’t seem to find exactly the answer I’m looking for. My question is: which is more secure - using htaccess authentication or creating a login page for authentication?

From what I’ve read, creating a login page is the standard now as htaccess doesn’t have an easy way to logout. But is a login page secure? I set up a login page and have been testing it using MAMP. Everything seems to be working fine and I don’t see: http://username:password like you would see with javascript. The way I have it set up is is by using a file called passwords.php which includes:

[code]<?php
$USERS[“username1”] = “password1”;
$USERS[“username2”] = “password2”;
$USERS[“username3”] = “password3”;

function check_logged(){
global $_SESSION, $USERS;
if (!array_key_exists($_SESSION[“logged”],$USERS)) {
header(“Location: login.php”);
};
};
?>[/code]

At the top of each page I want protected I include:

<?php session_start(); include("passwords.php"); check_logged(); ?>

So each page checks passwords.php for an authenticated user to be logged in. If not, then it loads login.php which I’ve formatted to have the login and password prompts. Is using this method secure? Would there be a better way to store the name and password rather than in an array with the name being the index of the array and the password by the value of that index?

I apologize if this has already been answered before, but unfortunately I couldn’t find anything involving a php login page.

Thanks in advance!


#2

I worked on a php based site as part of a team project and we did something similar to this, except we hashed the password and stored the username and password in a database.


#3

Stormy,

After adding this post I actually went ahead and did that. I set up a MySQL database here on dreamhost and then set my login page to require authentication from the database. How did you set up authentication for the pages you wanted protected? Did you have to include a php script at the top of each page that would check for a logged in user before allowing access?

The future problem I can see with this is that we also have a wiki set up and putting a script at the top of each page could be extremely tedious.

I’m also trying to set up Google Apps with SSO (single sign-on) so I would like to have my site as secure as possible while also allowing SSO to work.

If anyone has any suggestions or thoughts I would appreciate them.

Thanks


#4

Yes, we had a script at the top that would check the session for a logged in user (and what access level they had, so regular users couldn’t see the Admin page).

We just copy-pasted the script, not too bad.