Login page vs. htpasswd - Which is more secure?

Question

Given a simple login system (register and login), which of the two choices is more secure:

• Using htaccess and htpasswd files to store and authenticate users
• Using php to CRUD and MySQL (or any other database really) to store the info

User info consists purely of username-password.

Of course, best-case is assumed for both options: MySQL injections are accounted for, password is md5/sha1/md5+sha1/any other means encrypted, etc.

In case you're wondering, in the first case, php will add user credentials to the htpasswd file. (see this question for an example implementation.)

Answer 1

I'd say always the login form (by which I assume you mean standard session-based authentication).

• .htaccess authentication transmits the password on every request (Of course, SSL would help here)

• .htaccess authentication doesn't have any rate limiting / brute-force protection by default in Apache

• Logging out from .htaccess authentication is a bitch

Answer 2

There is pretty much no difference between the 2 ways in terms of in flight security. but Pekka's concerns are all valid. If you just want to use HTTP Basic Auth (ie the popup box) as opposed to a login form, you can do it via PHP. by looking for $_SERVER['PHP_AUTH_USER'] and if you don't find it send back a 401 response such as:

    if (!isset($_SERVER['PHP_AUTH_USER'])) {
            header('WWW-Authenticate: Basic realm="MY REALM"');
            header('HTTP/1.0 401 Unauthorized');
            echo 'Please Contact us if you are having problems logging in';
            exit;
    } else {
            //not their first time through
            //check their username and password here
            $username = trim($_SERVER['PHP_AUTH_USER']);
            $password = trim($_SERVER['PHP_AUTH_PW']);
            //do login
    }

This way you can do rate limit/brute force detection. Set a session, so that the passwords isn't sent with each request, and makes logging the user out and tracking them way easier.