PHP_AUTH_? Security

Anon

I'm a bit curious on if there is any security issues with using PHP_AUTH_USER & PW

For Example:

Making the user login by using

header( 'WWW-Authenticate: Basic realm="My Realm"' );
header( 'HTTP/1.0 401 Unauthorized' );

This will force the user to enter username (PHP_AUTH_USER) and password (PHP_AUTH_PW).

Now once they set this it will be compared to a MySQL table.

That is just for the login. But basically on any other page, it would check if $PHP_AUTH_USER & PW are set. if they are, they would check against the DB again.

Any security risk doing this?

Anon

better to use html auth instead of http auth because html auth can be undone.

I would use html auth and set vars in the session for the userid and pass and compare those on each page instead.

Anon

Problem is im running PHP3, and to my knowledge sessions implemented until PHP4.
Also, i believe you can use PHPLIB to use sessions but also that is not installed.

Is there a way to create your own type of session? Something like this:

Session table:

SID, username

Then when they login using HTML Form, check the user table which contains the actual username and passwords. If its good, then add Session ID, and the username to the session table.

Also create a cookie with the session ID, and compare the session ID in the cookie to the session ID in the session table?

Or am i way off here.

Anon

better to use html auth instead of http
auth because html auth can be undone.

To my knowledge there is no possible way to "undo" HTTP AUTH. If there were, there would be litterally millions of internet pages that were wide-open to attack.

In http auth the server requests a name and password from the client. No matter what response the client sends, from an empty password to some form of "altered" password, the server checks to see if that name and password combination matches any listed pairs.

There is no way for the client to simply send a "I'm authorized" response that keeps the server from requiring a username and password.

HTTP AUTH is as safe a way to do it as a session or cookie is. Both are made useless by sniffing as are all methods that do not use an encrypted connection.

So to answer the question, the current way you are doing it is fine. The only negative is that some people prefer an html form to the little pop-up window, for purely aesthetic reasons.

Anon

So my code looks correct except for passing the wrong type to the class thus you think it might be a php.ini issue?

btw: I just upgraded from php3 to 4 and am running both on my server concurrently.

Anon

Thanks for the input Plutarck and Tom..

I couldn't really figure a way how it would be unsafe. As you said sessions or http are unsafe unless they are on a secure server. Because anything can be sniffed if they are not. I think I will stick with my PHP_AUTH method, since it seems to be fine.