Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Passing Data Around (Sessions?) 1

Status
Not open for further replies.
WJProctor

WJProctor

Programmer
Joined
Jun 20, 2003
Messages
151
Location
GB
Ok my problem is that im writtin a page with a login. Now i was hopping the login would be in a popup screen, but how do i get the details back to the main screen so that i can then check when each page loads whether they should have access or not. Should i just pass sessions around or what? Hope this makes sense to someone.

Regards JP
 
Sort by date Sort by votes
DRJ

Do you know if this runs into the same issues of performance as this type of authentication does when used with straight up HTML? namely the resending the password each and every page load, and doing so in an insecure manner if not using SSL or some sort of point to point encryption?

-Rob
 
Upvote 0 Downvote
skiflyer

I only recommend basic authentication if no form based authentication handling via SSL is available.

The issues with this type of authentication stay the same - as you mentioned. If there is any sensitive data basic authentication without encryption is not a good idea.

The overhead of sending username and password with every request is there, however, a session based authentication system will send the session ID, which is probably longer than username and password combined.

In terms of security, I completely agree, that an insecure plain text sending of username and password is highly undesirable for sensitive context.

The best solution then would be:
Write an Apache mod_auth_login handler that establishes credentials,uses a tracking cookie that is referenced in a credentialing database with the IP and username. The handler triggers redirection to an https:// form based login page that redirects to the requested URL after authentication. Once the credential is esablished the auth handler checks .htaccess privileges. A powerful server is recommended for this - but after all, if the data really is sensitive, it deserves the hardware.

One can scale that down to have an SSL based login with a MySQL backend that keeps track of the session with the credentials.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

W
  • Locked
  • Question Question
how to send checked row data in php
Replies
0
Views
605
wiltang2004
W
R
  • Locked
  • Question Question
How Can I Use MySQL To Send Data To An Email
Replies
1
Views
848
Chris Miller
Chris Miller
Brianfree
  • Locked
  • Question Question
Dropdown list data generator
Replies
3
Views
749
Brianfree
Brianfree
milisql
  • Locked
  • Question Question
Fetching Data But not calculating Correctly
Replies
0
Views
672
milisql
milisql
lexer
  • Locked
  • Question Question
Join two mysql tables for populate datatable
Replies
3
Views
745
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top