Member area security: Basic Authentication vs PHP session variables?
 

This is for a Linux/Apache environment...

Is anyone using Basic Authentication for password protection of membership areas?

Twenty years ago, I was using Basic Authentication, but the 8 char username and password length limits won't cut it today.

I understand that both username and passwords can be substantially longer and more contemporary encryption algorithms are now supported by Apache.

Any suggestions, or words of wisdom?

Thanks!

There's a mix of this still, plenty still using http authentication.

If using php sessions you need to use URL signing/hashing for the video files, because they won't be protected otherwise.

Thanks for that.

I'm actually inclined to use Basic Authentication, and I just needed some assurances that it has not been totally abandoned for security limitations.

Then, there's the issue of which encryption scheme to use...

:)

It has not been abandoned, and there are no security issues with it other then that it doesn't natively offer any protection against bruteforce. If you are using Apache 2.4, then the algo you want to use to generate the passwords is bcrypt. None of the algos are INSECURE in practice. Google cracked SHA1 but a single phrase would apparently take a single GPU 110 years to crack so in practice no one is really gonna get through it. The only really insecure hash is unsalted MD5 because it can be reversed using rainbow tables.

Thank-you. I really appreciate all this information. It will save me a lot of time.

:)