[Chugalug] Access Control for LAMP
cluon at geeklabs.com
Sat Oct 6 13:18:53 UTC 2012
> What do you see as the drawbacks of using .htaccess files for authentication? I feel like this system addresses most of them.
If your only concern is auth, and everyone has the same levels, it works.
Just better make sure thos .htaccess files don't get munged/deleted/etc..
Doing in code allows you to easily apply rules and logic to the auth, such
as allowed ip addresses, velocity detection (blocking an IP after XX bad
logins), blacklisting, http referrers, agents, time of use, password
change rules, allowing users to change passwords (without shelling a
command to update a .htaccess file that should only be writable by root),
which SSL client certificate can be used..
Doing in code also can be used to tie user attributes to those
credentials. security levels, access to specific functions, etc...
> I agree, but I have a few services that should be accessible by http (to avoid self-signed cert errors), so I use digest auth, with some stupid
> workaround for IE6. Works for me since I never have any reason to support IE5.x or older.
Digest auth is not encrypted, just Base64 encoded.
Self-signed cert errors are preferable to plain text. It is easy to add
them for applications people often use. Suggestion:
Grab TinyCA2 and setup a certificate authority, use client certificates as
one of the factors for authentication if you want to do some really fun
More information about the Chugalug