Specifications
browser is then responsible for displaying a dialog box or similar device to get required infor-
mation from the user.
Although the Web server requests new authentication details for every user request, the Web
browser does not need to request the user’s details for every page. The browser generally stores
these details for as long as the user has a browser window open and automatically resends
them to the Web server as required without user interaction.
This feature of HTTP is called basic authentication. You can trigger basic authentication using
PHP, or using mechanisms built in to your Web server. We will look at the PHP method, the
Apache method, and the IIS method.
Basic authentication transmits a user’s name and password in plain text, so it is not very
secure. HTTP 1.1 contains a somewhat more secure method known as digest authentication,
which uses a hashing algorithm (usually MD5) to disguise the details of the transaction. Digest
authentication is supported by many Web servers, but is not supported by a significant number
of Web browsers. Digest authentication has been supported by Microsoft Internet Explorer
from version 5.0. At the time of writing, it is not supported by any version of Netscape
Navigator, but might be included in version 6.0.
In addition to being poorly supported by installed Web browsers, digest authentication is still
not very secure. Both basic and digest authentication provide a low level of security. Neither
gives the user any assurance that she is dealing with the machine she intended to access. Both
might permit a cracker to replay the same request to the server. Because basic authentication
transmits the user’s password as plain text, it allows any cracker capable of capturing packets
to impersonate the user for making any request.
Basic authentication provides a (low) level of security similar to that commonly used to con-
nect to machines via Telnet or FTP, transmitting passwords in plaintext. Digest authentication
is a little more secure, encrypting passwords before transmitting them. Using SSL and digital
certificates, all parts of a Web transaction can be protected by strong security.
If you want strong security, you should read the next chapter, Chapter 15, “Implementing
Secure Transactions with PHP and MySQL.” However, for many situations, a fast, but rela-
tively insecure, method such as basic authentication is appropriate.
Basic authentication protects a named realm and requires users to provide a valid username
and password. Realms are named so that more than one realm can be on the same server.
Different files or directories on the same server can be part of different realms, each protected
by a different set of names and passwords. Named realms also let you group multiple directo-
ries on the one host or virtual host as a realm and protect them all with one password.
Implementing Authentication with PHP and MySQL
C
HAPTER 14
14
IMPLEMENTING
AUTHENTICATION
313
18 7842 CH14 3/6/01 3:35 PM Page 313