-2

My site uses HTTP authentication and I've learned it isn't very secure and it causes a lot of problems for many browsers, and not all browsers may support it, so I want to use an alternative that is secure and more widely supported; what are some alternatives?

Is it possible to lock all directories using an HTML login page?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Kunal Chopra
  • 219
  • 3
  • 8
  • HTTP auth should be both secure & supported by all browsers (and with "all", I truly mean pretty much *all* of them). – Martin Tournoij Mar 08 '15 at 20:13
  • This question is too broad for a meaningful answer and it is also asking two very separate things at once. You should ask a) "Is HTTP Basic auth secure" -- see https://stackoverflow.com/questions/3323245/is-basic-access-authentication-secure and b) how can I securely authenticate on a website (too broad) – Rich Jul 25 '23 at 09:52

1 Answers1

2

My site uses HTTP authentication and I've learned it isn't very secure

That's false... unless you're referring to something like basic auth over an insecure channel. In that case, anything over the insecure channel has potential issues. (Even if you did some client-side encryption hackery, you still have the problem that the remote host is not verified without the TLS or SSL layer.)

Basic auth is fine in some cases, and not for others. It depends on what you're trying to do.

it causes a lot of problems for many browsers, and not all browsers may support it

Completely false. I've never seen a browser that didn't support basic auth and digest auth.

what are some alternatives?

This isn't possible to answer without a better understanding of your requirements. Two-factor auth with a DNA sample and a brainwave scan might be more secure but chances are that's not what you're looking for. Besides, you can't forget about the rest of your system and you've told us nothing about that.

Is it possible to lock all directories using an HTML login page?

Yes. How you do this depends on what you're running server-side, but yes it's completely possible and often done.

Brad
  • 159,648
  • 54
  • 349
  • 530
  • So why is FF and Chrome not sending my Authorization header? – Gobliins Mar 18 '16 at 11:58
  • 1
    @Gobliins How should I know? I don't see your code posted anywhere, and certainly cannot read your mind to know what your code looks like. If your browser isn't sending authorization, you probably didn't request it. I assure that Chrome, Firefox, and all the others support basic auth. Try it yourself: http://browserspy.dk/password.php – Brad Mar 18 '16 at 15:31
  • There are several mistakes in this comment: a) Basic Auth over HTTP is definitely not secure, as login information is sent in plain text. b) Transmitting basic auth as part of the URL in the form username:passwd@exampleurl.com is especially insecure way. c) Mobile Safari strips Basic Auth login data from URL's for security reasons, so that method is no longer supported at all on iOS. – Pasi Jokinen Oct 10 '17 at 09:28
  • 2
    @PasiJokinen Apparently you didn't read my answer at all. Basic auth is perfectly secure over HTTPS. The first sentence of my answer says that it's not secure over an insecure channel... that is plain HTTP. You also don't seem to know what you're talking about if you think that putting auth in the URL somehow causes it to be transmitted differently. (Use your developer tools, you'll see that it's sent as a request header, for user agents that support it.) Finally, nowhere in my answer did I say anything about URL handlers anyway. – Brad Oct 10 '17 at 15:21
  • re "I've never seen a browser that didn't support basic auth" -- it can be disabled in Chrome via a Group Policy and I have seen a few browsers in UK government departments where their IT teams have blocked it. I expect some other Enterprises may also block it. (HTTP Basic auth over HTTPS is secure and quite suitable for test sites or admin sites.) – Rich Jul 25 '23 at 09:50