HTTP Basic Auth, reading password file and performance

Question

hi,

I'm curious to know what are the performance impacts of using HTTP Basic Auth on a webserver like Apache or lighttpd or nginx. I imagine the bottleneck is the actual reading of the file by the server to authenticate a user. It also seems to me that the cost of reading the file to authenticate a user is proportional to the number of users in that file.

Questions i have are:
1. is there a specific number of users at which basic auth via file starts to fall dramatically or is it linearly relative to the number of users in the file?
2. Given the stateless nature of http, if a user has been authenticated using HTTP Basic Auth by the webserver on one request:
- does it simply forward the credentials on every request and the webserver must parse the password file everytime in order to determine if this is a request from a valid user?
or
- get something like a token that it uses in the http header on subsequent requests, allowing the server to avoid parsing the password file again?

thanks in advance

Answer 1

Parsing a file once at logon should scale pretty well, no matter how many users there are. I really wouldn't worry about it. In the future, you can develop a database driven approach with proper indexing. I suspect of all the bottlenecks you'll be running into developing a site, Basic Auth isn't going to be one of them for a very very long time - unless your webserver is VASTLY underpowered.

Answer 2

My experience is with Apache 2.x only.

1. Yes. It will be linear with the default authentication provider (file). It uses ap_cfg_getline() so it will be linear to number of lines (users).
2. Yes. mod_aaa has to parse the password every time. You can use something like MemCookie for cookie or token based authentication.

Answer 3

1. Linearly relative. I wouldn't worry. HTTP Basic Auth is proved to be scalable. Just take the Twitter API as an example. It uses Basic Auth.

2. "Because the HTTP protocol is stateless, each request will be treated in the same way, even though they are from the same client. That is, every resource which is requested from the server will have to supply authentication credentials over again in order to receive the resource. Fortunately, the browser takes care of the details here, so that you only have to type in your username and password one time per browser session - that is, you might have to type it in again the next time you open up your browser and visit the same web site."

Detailed info in the Apache Auth documentation.