htaccess or login system security

[erect]

I'm from the school of thought that .htaccess security is better than any php based login system. Currently, I'm building some software that could potentially be self hosted by users.

This script already has a mysql database so adding a login system would not be much additional effort on my part, however, I'm considering intentionally leaving the login system out to force users to protect via .htaccess as I feel it's more secure.

I'm hoping you can help me out with some advantages/disadvantages of each.

 

[machinecontrol]

If there's no login system, people will host it without any password protection, trust me. Unless you force people to implement security, most will be too lazy to do so.

 

[kyleirwin]

.htaccess/.htpasswd is just so much easier than setting up a db, setting cookies, and securing it all.

 

[kblessinggr]

From a programatic standpoint .htaccess is much more secure because its easier to setup with fewer lines and applies to all files under a specific folder or path.

But if its a multi-user system with varying permission htaccess wouldn't prevent permission abuse within a PHP system.

When done correctly either setup can be very secure, htaccess is just easier to setup in a single file, but not as easy to deploy or update from a non-coder point of view. So if you're deploying to end users, I'd recommend the PHP route, or machinecontrol said, people will just simply push it up and complain that there's no security despite the htaccess instructions.

 

[erect]

If there's no login system, people will host it without any password protection, trust me. Unless you force people to implement security, most will be too lazy to do so.

I don't really give a shit if they choose not to do this once the script is in their hands. The data is sensitive enough that they will make sure it's protected ... I guarantee it.

From a programatic standpoint .htaccess is much more secure because its easier to setup with fewer lines and applies to all files under a specific folder or path.

I intentionally left the OP a bit vague on the specifics of this script because I'd rather get a consensus opinion of the flaws of either method than to have this question answered specifically for what I'm writing.

This will be a non-multi-user script, but the users could always set up multiple htaccess accounts manually if they want friends/business partners to share the system.

A big plus for me is that .htaccess will lock out googlebot and other from viewing the pages without exposing sensative folder names by excluding via robot.txt. Using htaccess should cut down on the possibility of injections as scripts would have to login before seeing anything.

When done correctly either setup can be very secure, htaccess is just easier to setup in a single file, but not as easy to deploy or update from a non-coder point of view.

That's odd, I've had more luck in the past showing clients how to use cpanel to .htaccess protect folders than I have had showing them around a login system and expecting them to understand

 

[kblessinggr]

That's odd, I've had more luck in the past showing clients how to use cpanel to .htaccess protect folders than I have had showing them around a login system and expecting them to understand

I've bolded the primary reason, will you be able to provide this hand-holding to every client that gets the script from you? Also not everyone has cpanel, those most of the big shared providers do.

Also you "login system" must not be very straight forward in my opinion, but then again I never met your clients.

But here's my thought. Regardless of the ease of setting one up over the other, the php method would pretty much require the client to setup a login, or not be able to use the script. Where as the htaccess method would potentially allow the users to leave it off and pretty much have a default choice of not having it. And it's my philosophy that unless you're going to do the hand-holding there's always bound to be one person who doesn't grasp the instruction then blame you when their setup gets breached.

It could also be a problem if the clients for some reason don't have an AllowOverride turned on in their apache setup (or if they even have apache).

BUT... judging from the sound of it, you already know what you'd prefer.

Personally I wouldn't even mind doing it that way, but did you know you can actually combine .htaccess protection with PHP, since you can have it pass the authenticated user name over to the php script, ergo still using htaccess protection but allowing php to vary on a multi-user setup (or to even test if the script is self-protected and warn if not)..

 

[erect]

My clients in the past have been very sales / middlemen oriented so that definitely factors into the issues I've had. I had to show these guys (multiple times) how to do it either way. This clientele will be much more tech savvy so I'm not concerned about the either route as being an obstacle.

BUT... judging from the sound of it, you already know what you'd prefer.

True, but I wouldn't have started the thread if I weren't open to change. I've done both dozens of times and know my way around either system (with or without cpanel). If I listened to my instincts, would naturally lean towards .htaccess for these specific needs.

You bring up an excellent point though

Personally I wouldn't even mind doing it that way, but did you know you can actually combine .htaccess protection with PHP, since you can have it pass the authenticated user name over to the php script, ergo still using htaccess protection but allowing php to vary on a multi-user setup (or to even test if the script is self-protected and warn if not)..

kb, bringing the heat today.

No, I had never considered combining the 2 ... $_SERVER['PHP_AUTH_USER'] could certainly add some interraction with the user.

This also got me thinking about the differences between logging out. With .htacces, A user has got to destroy the session (kill the tab or browser) to close the connection. This concerns me as being a bit more vague that a big fat "logout" button. Is there a way I can get php to logout a session made by .htaccess so I can provide a logout button also?

 

[somlor]

I like to see both combined. Get the total lockdown via .htaccess, but redirect unauthorized users to a php based login page. That is how Amember works, been meaning to reverse-engineer exactly how they did that.

With the .htaccess only based method you are thinking of, people have to login via a browser pop-up, right? And then they are logged in for good on that computer unless they can figure out how to log out which wouldn't be part of your script's backend, correct? If so, that is the downside I see to going the .htaccess only route -- lack of integrated login/logout handling.

[edit]err-- posted this before seeing the last two posts. muuuultiiiii-tasking.

Sean

 

[somlor]

did you know you can actually combine .htaccess protection with PHP, since you can have it pass the authenticated user name over to the php script, ergo still using htaccess protection but allowing php to vary on a multi-user setup (or to even test if the script is self-protected and warn if not)..

kb, do you know of any resources for how to pull this off?

Trying to understand how Amember does this. Below seems to be the relevant code involved:

/public_html/protected-folder/.htaccess

Options +FollowSymLinks
RewriteEngine On

## allow access for product #2
RewriteCond %{HTTP_COOKIE} amember_nr=([a-zA-Z0-9]+)
RewriteCond /home/mysite/public_html/amember/data/new_rewrite/%1-2 -f
RewriteRule ^(.*)$ - [L]

## if user is not authorized, redirect to login page
# BrowserMatch "MSIE" force-no-vary
RewriteCond %{QUERY_STRING} (.+)
RewriteRule ^(.*)$ http://www.mysite.com/amember/plugins/protect/new_rewrite/login.php?v=-4&url=%{REQUEST_URI}?%{QUERY_STRING} [L,R]
RewriteRule ^(.*)$ http://www.mysite.com/amember/plugins/protect/new_rewrite/login.php?v=-4&url=%{REQUEST_URI} [L,R]
########### AMEMBER FINISH ####################

/public_html/amember/data/.htgroup

PRODUCT_1: joeshmoe jonsmith
PRODUCT_2: james jonsmith

/public_html/amember/data/.htpasswd

joeshmoe:19GdkMIX9J7uQ
jonsmith:bccxYToRPM37s
james:5f32SG6gIRF5Q

It looks like the .htaccess in the protected folder checks for a cookie and then checks to see if it can access a data folder that is protected by a centralized .htgroup/.htpasswd. If these conditions fail the user is redirected to the login.php page.

What I really don't understand is how it distinguishes between users with access to PRODUCT_1, PRODUCT_2, etc. when granting access to the other folder.

Sean