Comments on: Basic Auth – Just Say No http://www.techper.net/2009/12/04/basic-auth-just-say-no/ About Technology in My Life Tue, 27 Jul 2010 08:01:33 -0500 http://wordpress.org/?v=2.8.6 hourly 1 By: Ram Pathak http://www.techper.net/2009/12/04/basic-auth-just-say-no/comment-page-1/#comment-37371 Ram Pathak Tue, 23 Feb 2010 20:46:51 +0000 http://www.techper.net/?p=304#comment-37371 It is good (better, easier, straight forward) as long as you use it within internal network (intranet environment), usually for admin related tool. It is good (better, easier, straight forward) as long as you use it within internal network (intranet environment), usually for admin related tool.

]]> By: John Himmelman http://www.techper.net/2009/12/04/basic-auth-just-say-no/comment-page-1/#comment-37155 John Himmelman Tue, 16 Feb 2010 21:18:43 +0000 http://www.techper.net/?p=304#comment-37155 I'd never use basic auth for a client/frontend login but its great for walling-out users from backend pages, or more specifically directories with analytic scripts and other sensitive material (over HTTPS though). I’d never use basic auth for a client/frontend login but its great for walling-out users from backend pages, or more specifically directories with analytic scripts and other sensitive material (over HTTPS though).

]]> By: Lantrix http://www.techper.net/2009/12/04/basic-auth-just-say-no/comment-page-1/#comment-37030 Lantrix Tue, 09 Feb 2010 02:19:22 +0000 http://www.techper.net/?p=304#comment-37030 I'm using basic auth in two instances. In an internal private non-commercial network for squid authentication for proxy users. Change password is performed using a cgi running on the squid server. I'm also using it on an externally facing web server; but the caveat is that I make apache httpd enforce use of HTTPS. It's useful for adhoc authentication for a small amount of users - as long as HTTPS is enforced for public networks. That said, I would actually recommend other methods of authentication such as <a href="http://www.h5l.org/" rel="nofollow">Kerberos</a> or <a href="http://www.openbsd.org/faq/pf/authpf.html" rel="nofollow">authpf</a>; especially for external user authentication. I’m using basic auth in two instances.
In an internal private non-commercial network for squid authentication for proxy users. Change password is performed using a cgi running on the squid server.

I’m also using it on an externally facing web server; but the caveat is that I make apache httpd enforce use of HTTPS.

It’s useful for adhoc authentication for a small amount of users – as long as HTTPS is enforced for public networks.

That said, I would actually recommend other methods of authentication such as Kerberos or authpf; especially for external user authentication.

]]> By: polesen http://www.techper.net/2009/12/04/basic-auth-just-say-no/comment-page-1/#comment-35619 polesen Fri, 11 Dec 2009 15:59:43 +0000 http://www.techper.net/?p=304#comment-35619 @johnstock: Yes, thats true. @johnstock: Yes, thats true.

]]> By: johnstok http://www.techper.net/2009/12/04/basic-auth-just-say-no/comment-page-1/#comment-35618 johnstok Fri, 11 Dec 2009 15:56:59 +0000 http://www.techper.net/?p=304#comment-35618 There are lots of HTTP clients besides browsers :-) In many cases HTTPS + Basic auth can be sufficient for confidential, authenticated access to resources. An obvious example being the twitter API. There are lots of HTTP clients besides browsers :-)

In many cases HTTPS + Basic auth can be sufficient for confidential, authenticated access to resources.

An obvious example being the twitter API.

]]> By: polesen http://www.techper.net/2009/12/04/basic-auth-just-say-no/comment-page-1/#comment-35459 polesen Sat, 05 Dec 2009 17:57:13 +0000 http://www.techper.net/?p=304#comment-35459 Nope - none of the problems I mention are solveable by the application itself emitting the headers. It will still be the browser, that pops up the dialog and does all the handling itself. No way to control that. Nope – none of the problems I mention are solveable by the application itself emitting the headers.

It will still be the browser, that pops up the dialog and does all the handling itself. No way to control that.

]]> By: Mike Girouard http://www.techper.net/2009/12/04/basic-auth-just-say-no/comment-page-1/#comment-35458 Mike Girouard Sat, 05 Dec 2009 17:51:02 +0000 http://www.techper.net/?p=304#comment-35458 I agree... but I assume you're speaking of the de-facto server-supplied basic auth right? I imagine that all of the problems you identify above are solved if you have a server-side app emitting the basic auth headers. Cheers, Mike G. I agree… but I assume you’re speaking of the de-facto server-supplied basic auth right?

I imagine that all of the problems you identify above are solved if you have a server-side app emitting the basic auth headers.

Cheers,
Mike G.

]]>