tags:

views:

487

answers:

2

I noticed a few big sites use HTTP authentication.

Im wondering what the main difference is between this and session based logins are.

Any advantages or disadvantages.

Any explanation and or suggestions would be helpful as i'm trying to decide which login to use for my site.

thanks

+3  A: 

The biggest disadvantage of HTTP Authentication, from a user's point of view, is probably the fact that you get an ugly looking dialog box, and not a nice form integrated into your website.

You also cannot include any link to a "register" form, or some help, nor some "I've forgotten my password" information.

For some kind of back office, maybe http authentication is OK ; but I have some doubts about its usage for some public front office.

Another inconvenient is that there is no "auto-logout" functionnality, with HTTP Authentication : with sessions, the session expires after some time, or the cookie is automatically deleted when the user closes his browser... But not with HTTP Authentication ; so, on this point, HTTP Authentication seems less secure.

Pascal MARTIN
thanks for the input.Do you know if they are both capable of being integrated with a shopping cart? Is HTTP authentication able to store info like sessions and cookies do?
chris
I believe HTTP Authentication is used for authentication, and that's it ;; sessions and cookies, on the other side, are used to store any kind of data you want... And this data can include authentication informations ;-)
Pascal MARTIN
so after authenticating with HTTP authentication how would make sure the user sees his unique custom member page? Im missing something in my understand :(
chris
About using HTTP Authentication in PHP, you can take a look at this article : http://www.rooftopsolutions.nl/article/223 ;; the login+password are available as $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] ;; up to you to deal with those, now ;-)
Pascal MARTIN
thx Pascal what i needed
chris
+2  A: 

http-authentication is sent with each single request. This means that the request remains autonomous of any previous requests (also known as being stateless). Since http has been designed as a stateless protocol, there are a number of technical benefits to keeping with this style. Another big plus of using http-authentication is that it is standardised. Any http-client knows how to deal with http-authentication, so you make interoperability a lot simpler.

The main reason why people use session-based logins are, in my experience:

  • Aesthetics. You can't style the http-authentication box.
  • Usability. You can't put descriptive text or a link to "forgotten password" or "create new account" in the box.

In addition, a lot of people don't care about or outright prefer to sabotage alternative clients (such as screen scrapers and other automated clients).

troelskn