Security: SESSION vs. .htaccess

mrgrammar

I am working on a login system. I could just secure a directory by using a .htaccess file. However, I'm considering other options.

One method I've looked at is using a SESSION. Here's what I'm considering.

The server stores the login settings either in a file on the server or in a mysql database. When a person fills out the login form, it compares his/her form inputs to the login settings. If the login settings match, it sets a SESSION that contains login variables.

On each page, before the page displays, it reverifies the SESSION's stored login variables against the login settings stored on the server. If the settings match, the page displays. If the settings do not match, the visitor is automatically sent back to the login form.

Here are my questions?

Is .htaccess actually secure or can it be hacked?
How secure is the method of using the SESSION as described above?
What is your suggestion for securing a directory?

MarkR

mrgrammar wrote:
I am working on a login system. I could just secure a directory by using a .htaccess file. However, I'm considering other options.

.htaccess ia an Apache-specific configuration option and does not constitute an authentication mechanism.

I'll assume that by ".htaccess", you mean "HTTP Authentication", which is entirely unrelated to .htaccess, except that the .htaccess mechanism is sometimes used to configure HTTP Authentication.

1. Is .htaccess actually secure or can it be hacked?

.htaccess has no inherent vulnerabilities that I'm aware of. Of course all the normal caveats apply.

HTTP basic authentication sends all credentials in the clear (unless you're using HTTPS) where they can be intercepted and compromised by someone who can tap the wire.

2. How secure is the method of using the SESSION as described above?

Provided it's a correct implementation, equally secure. Make sure you follow all the guidelines in the PHP session documentation for maximum security, i.e. ALWAYS enable session.use_only_cookies

You need to be sure that your implementation is correct and takes all security precautions (i.e. isn't vulnerable to attacks ITSELF such as SQL injection)

3. What is your suggestion for securing a directory?

That question makes no logical sense. Directories are not things which "need to be secured" in a web sense, as there is no mechanism to retrieve a directory via HTTP.

Mark

Horizon88

I believe on his third question, as to securing directories, he means preventing directory indexing or unauthorized access of select files within that directory.

For something like that, it would be simpler to use .htaccess files and deny directory indexing unless they have a username and password, most likely. (I'm assuming this is for a /downloads/ directory or something of the like, not a full blown administrative sub-directory or something.)

mrgrammar

Horizon88 wrote:
I believe on his third question, as to securing directories, he means preventing directory indexing or unauthorized access of select files within that directory.

For something like that, it would be simpler to use .htaccess files and deny directory indexing unless they have a username and password, most likely. (I'm assuming this is for a /downloads/ directory or something of the like, not a full blown administrative sub-directory or something.)

You are correct. I was referring to securing a downloads directory. However, your post brings up another point. What about a site administration subdirectory that allows users to change settings for their web site.

For example, let's say I design a site where the user can control the background color, whether headings are centered and other cosmetic features. I'd want to give the user an administrative web page to make those changes. I can locate that page in its own subdirectory. Is a .htaccess in that subdirectory sufficient protection for that page or is there a better way?

Horizon88

.htaccess is a good solution for something like a downloads directory because it requires little maintenance. If you do something like you're talking about and secure it with htaccess, what happens when you implement moderator/administrator statuses? You make new directories for everything, or you start over. The best way I've found to secure admin directories is set a blank index.html in the /admin/ folder, then put the scripts I need to run in that directory and call them from outside the directory with something like this:

//admin page
define('IS_AUTH', TRUE);

require_once('admin/page.php');

then in page.php:

if (!defined('IS_AUTH')) {
// direct access not allowed, redirect outside
   header('location: ../index.php');
}
else {
// required code here
}

Then you can use a mySQL database for the user system, which is easier to extend/modify than an .htaccess setup would be.

That's my two cents, at least.