Re: how big is too big for an .htpassword file?

by "Kae Verens" <kverens(at)orbism.com>

 Date:  Thu, 5 Oct 2000 08:59:38 +0100
 To:  "David Mintz" <mambomintz(at)yahoo.com>,
<hwg-languages(at)hwg.org>
 References:  yahoo
  todo: View Thread, Original
From: "David Mintz" <mambomintz(at)yahoo.com>
> Perhaps what I need is a recommendation for a good
> book or online tutorial to start getting into user
> authentication and session management. I have a fairly
> decent basic understanding of MySQL and PHP.
>
> (I notice a lot of books & articles assume the reader
> has root or root-like privileges on the server and can
> just install this or configure that. I rent on a
> shared server.)
>
> Anyway:  it seems to me one could store usernames and
> passwords (encrypted with 1-way encryption if you
> like)  in a database table and prompt the user for
> these when they log in, then pass them from page to
> page as hidden form elements or cookies. Thing is, on
> each page you'd have to hit your database again to
> search for that user/password to see if it's valid.
> That seems like a load on your database server. But is
> this more or less a technique that people use?
>
> Alternatively, I guess that after successful login you
> could set a cookie that says "this user is ok" and
> check that at each page, but it seems that wouldn't be
> very secure, since savvy users can catch on and bake
> their own cookies.

here's a different idea - presumeably, the username and password would only
be required for dynamically generated pages that are specific to that user.
In that case, you'd be reading from the database anyway, so why not run a
check in each file you'd normally build from the database? You could have
the cookie set to "username:password" instead of just "username", and parse
it to check that the username and password matches.

Kae

HWG: hwg-languages mailing list archives, maintained by Webmasters @ IWA