Hi, I am developing a website to administrate databases for a lawfirm and was wondering if htaccess is sufficient for controlling access for users, clients and administration. I wouldn't want to jeopardize my client's information with weak security and was curious how reliable htaccess is?
While authentication does allow resources to be restricted to particular users, there are potential security issues. Some of these are:
- Care must be taken to ensure that the resource is restricted against all methods. Use of <Limit GET>, for instance, leaves POST and other request methods unprotected.
- The username and password are stored in a plain text file. While the password is encrypted, it is not completely safe against decryption, so the file should not be accessible to other users on the system. More importantly, it should not be placed under the document root where users from other sites could access it.
- The username and password is as secure as any username/password system, in that end-users should not tell others their password, or write it down, or make it easily guessable.
- The Basic authentication scheme transmits passwords across the Internet unencrypted, so they could be intercepted.
.htaccess isn't as flexible as writing your own authentication system, but it doesn't have any inherent weaknesses as far as I am aware. Your httpd.conf should already have a global setting to deny access to all files beginning with ".ht". It's more of a hassle to add and remove users than if you roll your own. If you are using SSL, the username and password will not be sent in the clear.
I see, I will make sure to keep 'other' request methods secure. I dont have access to the OS (currently, as a reseller) but I'll check the passwd file location. In the past, I have used my own session routines using PHP (cookie/url id) before but for this project I just have been admining htaccess users with cPanel. Thank you all for the informative responses.