what are the benefits of using HTTP authentication with PHP (HTTP 401 headers)
instead of using a normal form submit authentication??
HTTP authentication aims at preventing unauthorized entry to PHP web applications by defending sensitive files or endpoints using a username and a password or those containing Base64 encoded credentials.
Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHP_AUTH_USER , PHP_AUTH_PW , and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER array.
From security perspective, both the form based and HTTP Basic Access Authentication use plain text for sending the authentication data. (Sure, HTTP Basic Auth additionally uses Base64, but that’s no hitch.)
While HTTP Basic Auth sends the authentication data on every request, the form based authentication only sends the authentication data when the form is sent (remember: both in plain text). Commonly sessions are used to maintain the state when using form based authentication.
So if you want to use one of these, be sure to encrypt your connection using HTTPS to prevent sniffing and man-in-the-middle attacks. And when you choose the form and session based variant, be sure to secure your session handling too to prevent or at least detect session frauds like Session Hijacking and Session Fixation.
The last variant is HTTP Digest Access Authentication. The main difference between this and Basic is, that Digest is a challenge-response authentication whereas the client has to fulfill a challenge on every request and the response is just a MD5 hash. So no authentication data in plain text is being send.
Your question is a bit vague, but the general answer is that using this method gives you a more "RESTful" implementation that follows what HTTP is already good at. In this case, throwing a 401 is something that other web servers, web proxies and web browsers know how to handle. If you're just spitting out an HTML form it is only actionable by an end user whereas using the HTTP status codes allow machine interaction.
I'd recommend checking out http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol to understand what HTTP really is.  I think that should make all of this make more sense.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With