What's right for me: htAccess, form submittion, HTTP header authentication w/ PHP?
I am creating a website with multiple sections--admin, client, user, and anonymous--each user group having less access then the next开发者_Python百科. I am wondering what form of authentication would be best for my use?
I have heard the if you are just dealing with a websites then a web form is for you (because it's prettier). HTTP header authentication with PHP is said to get clunky/sloppy. htAcess is pretty much the hard core of various authentication methods I have looked up, but is it too much?
You're confusing things.
Your three options are basically two:
- Use HTTP authentication
- Do not use HTTP authentication
Whether it's handled by an .htaccess file or not is another matter. You can do HTTP authentication with Apache and PHP, and you can do non-HTTP authentication with Apache and PHP (though usually you do non-HTTP auth with PHP and HTTP auth with Apache).
Apache can defer the authentication to several backend and frontend modules (e.g. you can use CAS). Apache provides out-of-the-box (no dated sourceforge module...) for the following database backends: FreeTDS, MySQL, Oracle, PostgreSQL, SQLite 2/3 and an ODBC connector.
Personally, I dislike HTTP authentication. Usually a form will is more user friendly and you can provide links such as "Forgot your password?" and "Username not found".
I'd also go with implementing the authentication in PHP, because it's more portable (you can swap the web server).
Go for the form (a session really).
Nowadays it's the only option.
First off, for your application you should go for the simpler login form / session method. Because you want in-application user groups, it's only senseful to also use in-application authentication. Technically for the permission system it makes no difference which auth method is used. But you know, for simplicity and keeping all authorization stuff together...
The hatred against HTTP authentication is misgued, btw. It's the stronger authentication method, if you use HTTP Digest; which OTH is difficult to implement in PHP.
It's a usability nightmare only if you do it wrong. Practically a HTTP logon can be initiated with a login form as well. Using XMLHttpRequest can successfully trigger HTTP Authentication. And with a little more work (401 and new realm), pretty logouts are possible too. If no Javascript is enabled it falls back on the boring login dialog / readline obviously. But I've personally used a text-only browser for a while, and I tended to like that more.
Also, if your admin group is serious business (raw database access tools etc.), you should apply both methods. Make the admin interface separate from the application, apply login form and .htaccess restrictions. Better safe than sorry.
精彩评论