Thursday, 21 June 2007

PHP HTTP Authentication

The HTTP Authentication for PHP comes in two versions, “Basic” and “Digest”.
  • Basic sends the username and password across the net in plain text.
  • Digest uses some clever one-way encryption techniques (eg. MD5 or SHA1) to prove that both client and server are exactly who they say they are without actually sending the password at all (in fact the server doesn't even need to store the password itself).

A problem with HTTP Authentication is that there is no way to easily logout, in fact there is no support for logging out. The browser can access the restricted material until such time that the cached credentials are flushed. This usually happens when the browser is closed.

No comments: