what are the benefits of using HTTP authentication with PHP (HTTP 401 headers)
instead of using a normal form submit authentication??
使用PHP身份验证(HTTP 401标头)而不是使用普通表单提交身份验证有什么好处?
4 个解决方案
#1
From security perspective, both the form based and HTTP Basic Access Authentication use plain text for sending the authentication data. (Sure, HTTP Basic Auth additionally uses Base64, but that’s no hitch.)
从安全角度来看,基于表单和HTTP基本访问身份验证都使用纯文本来发送身份验证数据。 (当然,HTTP Basic Auth另外使用Base64,但这不是故障。)
While HTTP Basic Auth sends the authentication data on every request, the form based authentication only sends the authentication data when the form is sent (remember: both in plain text). Commonly sessions are used to maintain the state when using form based authentication.
虽然HTTP Basic Auth会在每个请求上发送身份验证数据,但基于表单的身份验证仅在发送表单时发送身份验证数据(请记住:都是纯文本格式)。通常会话用于在使用基于表单的身份验证时维护状态。
So if you want to use one of these, be sure to encrypt your connection using HTTPS to prevent sniffing and man-in-the-middle attacks. And when you choose the form and session based variant, be sure to secure your session handling too to prevent or at least detect session frauds like Session Hijacking and Session Fixation.
因此,如果您想使用其中之一,请务必使用HTTPS加密您的连接,以防止嗅探和中间人攻击。当您选择基于表单和会话的变体时,请务必保护会话处理,以防止或至少检测会话欺诈,如会话劫持和会话固定。
The last variant is HTTP Digest Access Authentication. The main difference between this and Basic is, that Digest is a challenge-response authentication whereas the client has to fulfill a challenge on every request and the response is just a MD5 hash. So no authentication data in plain text is being send.
最后一个变体是HTTP摘要访问身份验证。这与Basic之间的主要区别在于,Digest是一种质询 - 响应身份验证,而客户端必须在每个请求上完成挑战,而响应只是一个MD5哈希。因此,不发送纯文本的身份验证数据。
#2
Your question is a bit vague, but the general answer is that using this method gives you a more "RESTful" implementation that follows what HTTP is already good at. In this case, throwing a 401 is something that other web servers, web proxies and web browsers know how to handle. If you're just spitting out an HTML form it is only actionable by an end user whereas using the HTTP status codes allow machine interaction.
您的问题有点模糊,但一般的答案是使用此方法为您提供了一个更加“RESTful”的实现,遵循HTTP已经擅长的。在这种情况下,抛出401是其他Web服务器,Web代理和Web浏览器知道如何处理的东西。如果你只是吐出一个HTML表单,它只能由最终用户操作,而使用HTTP状态代码允许机器交互。
I'd recommend checking out http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol to understand what HTTP really is. I think that should make all of this make more sense.
我建议查看http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol以了解HTTP的真正含义。我认为这应该使所有这一切变得更有意义。
#3
As an example of what revolutiontrigger said, I most often use HTTP auth on RSS feeds for sites that use form-based auth, simply because many RSS readers can do HTTP auth, but can't do form-based auth.
作为revolutiontrigger所说的一个例子,我经常在使用基于表单的身份验证的站点的RSS源上使用HTTP auth,因为许多RSS阅读器可以执行HTTP身份验证,但不能执行基于表单的身份验证。
#4
You make websites? if yes, then use the <form> tag.. it's prettier ;)
你做网站?如果是,那么使用
You make apps to be accessed by other apps and dispatch some form of data? Then use HTTP auth.
您可以让其他应用访问应用并发送某种形式的数据吗?然后使用HTTP身份验证。
As far as I know there is no big difference in security terms, or speed or whatever..it's just ugly and easier to implement.
据我所知,在安全术语,速度或其他方面没有太大的区别......这只是丑陋而且更容易实现。
#1
From security perspective, both the form based and HTTP Basic Access Authentication use plain text for sending the authentication data. (Sure, HTTP Basic Auth additionally uses Base64, but that’s no hitch.)
从安全角度来看,基于表单和HTTP基本访问身份验证都使用纯文本来发送身份验证数据。 (当然,HTTP Basic Auth另外使用Base64,但这不是故障。)
While HTTP Basic Auth sends the authentication data on every request, the form based authentication only sends the authentication data when the form is sent (remember: both in plain text). Commonly sessions are used to maintain the state when using form based authentication.
虽然HTTP Basic Auth会在每个请求上发送身份验证数据,但基于表单的身份验证仅在发送表单时发送身份验证数据(请记住:都是纯文本格式)。通常会话用于在使用基于表单的身份验证时维护状态。
So if you want to use one of these, be sure to encrypt your connection using HTTPS to prevent sniffing and man-in-the-middle attacks. And when you choose the form and session based variant, be sure to secure your session handling too to prevent or at least detect session frauds like Session Hijacking and Session Fixation.
因此,如果您想使用其中之一,请务必使用HTTPS加密您的连接,以防止嗅探和中间人攻击。当您选择基于表单和会话的变体时,请务必保护会话处理,以防止或至少检测会话欺诈,如会话劫持和会话固定。
The last variant is HTTP Digest Access Authentication. The main difference between this and Basic is, that Digest is a challenge-response authentication whereas the client has to fulfill a challenge on every request and the response is just a MD5 hash. So no authentication data in plain text is being send.
最后一个变体是HTTP摘要访问身份验证。这与Basic之间的主要区别在于,Digest是一种质询 - 响应身份验证,而客户端必须在每个请求上完成挑战,而响应只是一个MD5哈希。因此,不发送纯文本的身份验证数据。
#2
Your question is a bit vague, but the general answer is that using this method gives you a more "RESTful" implementation that follows what HTTP is already good at. In this case, throwing a 401 is something that other web servers, web proxies and web browsers know how to handle. If you're just spitting out an HTML form it is only actionable by an end user whereas using the HTTP status codes allow machine interaction.
您的问题有点模糊,但一般的答案是使用此方法为您提供了一个更加“RESTful”的实现,遵循HTTP已经擅长的。在这种情况下,抛出401是其他Web服务器,Web代理和Web浏览器知道如何处理的东西。如果你只是吐出一个HTML表单,它只能由最终用户操作,而使用HTTP状态代码允许机器交互。
I'd recommend checking out http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol to understand what HTTP really is. I think that should make all of this make more sense.
我建议查看http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol以了解HTTP的真正含义。我认为这应该使所有这一切变得更有意义。
#3
As an example of what revolutiontrigger said, I most often use HTTP auth on RSS feeds for sites that use form-based auth, simply because many RSS readers can do HTTP auth, but can't do form-based auth.
作为revolutiontrigger所说的一个例子,我经常在使用基于表单的身份验证的站点的RSS源上使用HTTP auth,因为许多RSS阅读器可以执行HTTP身份验证,但不能执行基于表单的身份验证。
#4
You make websites? if yes, then use the <form> tag.. it's prettier ;)
你做网站?如果是,那么使用
You make apps to be accessed by other apps and dispatch some form of data? Then use HTTP auth.
您可以让其他应用访问应用并发送某种形式的数据吗?然后使用HTTP身份验证。
As far as I know there is no big difference in security terms, or speed or whatever..it's just ugly and easier to implement.
据我所知,在安全术语,速度或其他方面没有太大的区别......这只是丑陋而且更容易实现。