简体繁体 English

“使用PHP进行HTTP身份验证”的好处

[英]benefits of “HTTP authentication with PHP”

原文 2009-01-10 20:35:21 3 4 php/ security/ authentication

what are the benefits of using HTTP authentication with PHP (HTTP 401 headers) 使用PHP进行HTTP身份验证有什么好处（HTTP 401标头）
instead of using a normal form submit authentication?? 而不是使用正常的表单提交身份验证？

4 个解决方案

From security perspective, both the form based and HTTP Basic Access Authentication use plain text for sending the authentication data. 从安全角度来看， 基于表单和HTTP基本访问身份验证都使用纯文本来发送身份验证数据。 (Sure, HTTP Basic Auth additionally uses Base64, but that's no hitch.) （当然，HTTP Basic Auth另外使用Base64，但这并不顺便。）

While HTTP Basic Auth sends the authentication data on every request, the form based authentication only sends the authentication data when the form is sent (remember: both in plain text). 虽然HTTP Basic Auth会在每个请求上发送身份验证数据，但基于表单的身份验证仅在发送表单时发送身份验证数据（请记住：都是纯文本格式）。 Commonly sessions are used to maintain the state when using form based authentication. 通常会话用于在使用基于表单的身份验证时维护状态。

So if you want to use one of these, be sure to encrypt your connection using HTTPS to prevent sniffing and man-in-the-middle attacks . 因此，如果您想使用其中一种，请务必使用HTTPS加密您的连接，以防止嗅探和中间人攻击。 And when you choose the form and session based variant, be sure to secure your session handling too to prevent or at least detect session frauds like Session Hijacking and Session Fixation . 当您选择基于表单和会话的变体时，请务必保护会话处理，以防止或至少检测会话欺诈，如会话劫持和会话固定。

The last variant is HTTP Digest Access Authentication . 最后一个变体是HTTP摘要访问身份验证 。 The main difference between this and Basic is, that Digest is a challenge-response authentication whereas the client has to fulfill a challenge on every request and the response is just a MD5 hash. 这与Basic之间的主要区别在于，Digest是一种质询 - 响应身份验证，而客户端必须在每个请求上完成挑战，而响应只是一个MD5哈希。 So no authentication data in plain text is being send. 因此，不发送纯文本的身份验证数据。

Your question is a bit vague, but the general answer is that using this method gives you a more "RESTful" implementation that follows what HTTP is already good at. 您的问题有点模糊，但一般的答案是使用此方法为您提供了一个更加“RESTful”的实现，遵循HTTP已经擅长的。 In this case, throwing a 401 is something that other web servers, web proxies and web browsers know how to handle. 在这种情况下，抛出401是其他Web服务器，Web代理和Web浏览器知道如何处理的东西。 If you're just spitting out an HTML form it is only actionable by an end user whereas using the HTTP status codes allow machine interaction. 如果您只是吐出一个HTML表单，它只能由最终用户操作，而使用HTTP状态代码允许机器交互。

I'd recommend checking out http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol to understand what HTTP really is. 我建议查看http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol以了解HTTP的真正含义。 I think that should make all of this make more sense. 我认为这应该使所有这一切变得更有意义。

作为revolutiontrigger所说的一个例子，我经常在使用基于表单的身份验证的站点的RSS源上使用HTTP auth，因为许多RSS阅读器可以执行HTTP身份验证，但不能执行基于表单的身份验证。

You make websites? 你做网站？ if yes, then use the <form> tag.. it's prettier ;) 如果是，那么使用<form>标签..它更漂亮;）

You make apps to be accessed by other apps and dispatch some form of data? 您是否允许其他应用访问应用并分发某种形式的数据？ Then use HTTP auth. 然后使用HTTP身份验证。

As far as I know there is no big difference in security terms, or speed or whatever..it's just ugly and easier to implement. 据我所知，在安全术语，速度或其他方面没有太大区别。这只是丑陋而且更容易实现。