Hi all,

I wanted to find out how 'really' secure htaccess is.

A client of mine wants to secure their content by only allowing
access from customers from certain ISPs/ipaddresses only.

They want to do this WITHOUT having to use passwords, so that
valid users automatically have access to the content. Hence they don't have to manage records of millions and millions of users.

Now my question. How secure is .htaccess? Will it keep out all invalid users other than the say expert hackers or can a relatively inexperienced hacker (from an invalid ISP) get to the content despite htaccess?

thanks in advance
Mike

HTTPD Basic/Digest Authentication is not considered real secure because:

1. There are no real mechanisms for taking action based on responses. If someone was brute force hacking your username/password, you'd just have to be keeping an eye on the log to find out. It's not programmable to lock out the user, block the IP address, alert anyone, etc.

2. Your files are going to be in public web space. You're relying on apache to refuse to serve the content based on what directory it's in and on it's own authentication.

3. "Sessions" are based only on username and password, an not any other criteria such as unique IDs, IP address, or anything. This won't be a big factor if you're just serving a single page.

Also, the browser must remember the username and password and send it with each request. Where a better authentication system would only do this once if multiple requests were necessary for a session. Make sure you're using SSL or Digest, or both.

So besides that, it's as secure as your username and password.

There are methods of using HTTPD Basic Authentication along with session IDs, IP addresses, and other parameters to maintain a more secure "login" state.

PS: What's an invalid ISP? :)