7

I noticed a few big sites use HTTP authentication.

Im wondering what the main difference is between this and session based logins are.

Any advantages or disadvantages.

Any explanation and or suggestions would be helpful as i'm trying to decide which login to use for my site.

thanks

chris
  • 2,913
  • 4
  • 43
  • 48
  • I think you’re speaking of the HTTP authentication. – Gumbo Aug 23 '09 at 19:24
  • If interested in security between these two types of authentication read this: http://stackoverflow.com/questions/5052607/cookies-vs-basic-auth/5052622#5052622 – Marco Demaio Apr 29 '11 at 15:49

2 Answers2

8

The biggest disadvantage of HTTP Authentication, from a user's point of view, is probably the fact that you get an ugly looking dialog box, and not a nice form integrated into your website.

You also cannot include any link to a "register" form, or some help, nor some "I've forgotten my password" information.

For some kind of back office, maybe http authentication is OK ; but I have some doubts about its usage for some public front office.

Another inconvenient is that there is no "auto-logout" functionnality, with HTTP Authentication : with sessions, the session expires after some time, or the cookie is automatically deleted when the user closes his browser... But not with HTTP Authentication ; so, on this point, HTTP Authentication seems less secure.

Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
  • thanks for the input. Do you know if they are both capable of being integrated with a shopping cart? Is HTTP authentication able to store info like sessions and cookies do? – chris Aug 23 '09 at 19:41
  • I believe HTTP Authentication is used for authentication, and that's it ;; sessions and cookies, on the other side, are used to store any kind of data you want... And this data can include authentication informations ;-) – Pascal MARTIN Aug 23 '09 at 19:42
  • so after authenticating with HTTP authentication how would make sure the user sees his unique custom member page? Im missing something in my understand :( – chris Aug 23 '09 at 19:48
  • About using HTTP Authentication in PHP, you can take a look at this article : http://www.rooftopsolutions.nl/article/223 ;; the login+password are available as $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] ;; up to you to deal with those, now ;-) – Pascal MARTIN Aug 23 '09 at 21:29
  • 1
    @PascalMARTIN All of what you say is true, but forgot the big advantage. HTTP-auth is stateless and can therefore easily be used to implement RESTful services, whilst this isn't necessarially the case for cookie-based systems such as sessions. – GordonM Oct 09 '12 at 11:39
  • I guess, the expiration problem can be easily solved on the server side (what you do there is independent of Authentication in the browser, just return 401 when the value is too old). Deletion on closing the browser is a different story. – maaartinus Jun 20 '17 at 03:49
6

http-authentication is sent with each single request. This means that the request remains autonomous of any previous requests (also known as being stateless). Since http has been designed as a stateless protocol, there are a number of technical benefits to keeping with this style. Another big plus of using http-authentication is that it is standardised. Any http-client knows how to deal with http-authentication, so you make interoperability a lot simpler.

The main reason why people use session-based logins are, in my experience:

  • Aesthetics. You can't style the http-authentication box.
  • Usability. You can't put descriptive text or a link to "forgotten password" or "create new account" in the box.

In addition, a lot of people don't care about or outright prefer to sabotage alternative clients (such as screen scrapers and other automated clients).

troelskn
  • 115,121
  • 27
  • 131
  • 155