的＆QUOT利益;用PHP＆QUOT HTTP认证; [英] benefits of "HTTP authentication with PHP"

问题描述

什么是使用用PHP （HTTP 401头） HTTP认证的好处

而是采用了普通表单提交认证??

what are the benefits of using HTTP authentication with PHP (HTTP 401 headers)
instead of using a normal form submit authentication??

推荐答案

从安全的角度来看，无论是在基于表单和的 HTTP基本接入认证 使用纯文本发送的验证数据。 （当然，HTTP基本认证另外使用Base64编码，但没有顺利。）

From security perspective, both the form based and HTTP Basic Access Authentication use plain text for sending the authentication data. (Sure, HTTP Basic Auth additionally uses Base64, but that’s no hitch.)

虽然HTTP基本认证将在每次请求的认证数据，表单基础的认证只发送表单时发送的验证数据（记住：无论是在纯文本）。常用会话用于使用基于表单的身份验证时，要保持状态。

While HTTP Basic Auth sends the authentication data on every request, the form based authentication only sends the authentication data when the form is sent (remember: both in plain text). Commonly sessions are used to maintain the state when using form based authentication.

所以，如果你想使用其中的一个，一定嗅探加密使用，以prevent您的连接HTTPS和的人在这方面的中间人攻击的。当你选择的形式和基于会话的变体，一定要确保您的会话处理太prevent或至少检测会话欺诈喜欢的会话劫持和会话固定。

So if you want to use one of these, be sure to encrypt your connection using HTTPS to prevent sniffing and man-in-the-middle attacks. And when you choose the form and session based variant, be sure to secure your session handling too to prevent or at least detect session frauds like Session Hijacking and Session Fixation.

最后一个变种 HTTP摘要访问认证 。这与基本之间的主要区别是，该摘要是一个挑战 - 响应认证而客户必须履行对每个请求的挑战和响应只是一个MD5哈希值。因此，在纯文本没有认证数据正在被发送。

The last variant is HTTP Digest Access Authentication. The main difference between this and Basic is, that Digest is a challenge-response authentication whereas the client has to fulfill a challenge on every request and the response is just a MD5 hash. So no authentication data in plain text is being send.

这篇关于的＆QUOT利益;用PHP＆QUOT HTTP认证;的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！