Form-Based Authentication
So far in this chapter, we have presented authorization techniques based on HTTP. In this section, we describe how to build applications that don't rely on HTTP Authentication, but instead use HTML forms to collect user credentials and sessions to implement an authentication framework. We discuss why you might want to avoid HTTP authentication, and the types of applications that benefit from managing the authentication with forms.
Reasons to Use HTTP Authentication
Before you decide to build an application that manages its own authentication, you should consider the advantages of using HTTP Authentication:
It is easy to use. Protecting an application can be as simple as configuring your web server or creating a file.
The HTTP authentication process can be managed by PHP code when an application needs to take over the checking of user credentials. We described how to do this in Section 11.2.2 earlier in this chapter.
Support to collect and remember user credentials is built into browsers.
HTTP authentication works well with stateless applications.
Reasons to Avoid HTTP Authentication
Some applications, particularly session-based applications that track authenticated users, have requirements that are difficult to meet using HTTP authentication.
- Browsers remember passwords
Usernames and passwords entered into a browser authentication dialog box (such as that shown in Figure 11-1) are remembered until the browser program is terminated or a new set of credentials is ...
Get Web Database Applications with PHP and MySQL, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
