On Sat, Mar 17, 2001 at 01:58:15AM -0800, Jon Tai wrote:
> HTTP auth is bad for several reasons.
>
> 1) The user/pass is submitted upon each request to the page.
As it is with the cookie solution you provide below. Assuming you have
one, what's your point?
> 2) There is no way to control how long a session lasts (auto-logout after a
> certain time)
That is incorrect. Not only is this possible but it's relatively
trivial. I know because I've done it.
> 3) There is no way to end the session explicitly (logout button)
IBID.
And a much more severe problem is present with your form based login.
You may be shocked to hear this, but some web browsers have a history
feature which allows evil bad people to discover userid/password
combinations in URL's accessed by GET forms. So of course you have to
POST the form instead. The variables from POSTed forms are typically
cached so you'd better not forget to expire the content. So you're good
to go, except for that damned cookie file. While you can easily set a
expiry date on a cookie, that doesn't necessarily purge it from the
cookie file. In fact, some browsers only vacuum their cookie jar on
startup / shutdown. And it doesn't take a whole lot of clue to dissect
a cookie file.
> 4) There is built-in session support in PHP4. Use it. =)
There is built-in authorization support in the HTTP standard. Use it.
Try reading "HTTP 1.1" RFC 2068 sections 10.4.2, 11 and 14.8.
So, I say again: the correct way to solve this problem is to use HTTP
authentication. Standards exist for a reason.
