zend framework - How can I improve HTTP Basic Authentication? -
i working on api site based on zend framework. zf doesn't have sufficient support digest authentication , late shift framework now, thinking of implementing basic authentication.
basic , digest not ideal way perform authentication, while digest better unfortunately not quite supported zend (implementing take work, need project done asap). 1 of big problem basic auth password sent in cleartext form. thinking instead of sending password in cleartext form, can somehow hash using one-way-hashing algorithm / bcrypt avoid sending password in cleartext form? still suffering man-in-the-middle attack though.
but if comparing basic authentication current form-based authentication used web-apps, both sharing same security problem while transferring request server?
your best option keeping request secure use ssl authentication requests ensure information isn't sent in plaintext.
if try kind of hashing or encryption on client before sending authentication request, expose hashing algorithm , salts might using malicious users. makes possible them use dictionary attacks against server.
but if comparing basic authentication current form-based authentication used web-apps, both sharing same security problem while transferring request server?
absolutely are. again forms based authentication best bet use ssl.
alternatively, might consider using external authentication service oauth.
Comments
Post a Comment