Basic authentication has gotten a bad reputation over the years. So it's not as flexible as
forms authentication and not as secure as NT Challenge Response, it has something going for
it that neither of these does - it's basic - as in simple!
Normally authentication is handled via IIS, but what if you're with a hosting company and
don't have easy access to IIS or the NTFS permissions? Well, take a look at this little script.
Without securing it via NTFS or changing any settings in IIS, you can upload this file and
unless the users knows a valid login and password for the server, they won't be able to
see the protected page contents. Pretty slick huh?
<%@ Language="VBScript" %>
<% Option ExplicitIf Request.ServerVariables("AUTH_USER") = "" Then
Response.Status = "401 Unauthorized"
Response.AddHeader "WWW-Authenticate", "Basic"
Response.End
End If
%>
<html>
<head>
<title>Authentication Sample</title>
</head>
<body>
<p>
Stuff you need to be authenticated to see!
</p>
</body>
</html>
Now please realize that unless combined with something like SSL, using this type of script
is highly insecure and results in your username
and password being transmitted in plain text, but then again not everything we do on the web is
mission critical now is it? What real harm is there if someone breaks into the admin page to
that web site that displays pictures of your last vacation. Granted you don't want just anyone
to be able to add or delete pictures, but if someone wants to spend the time and effort to hack in,
what's the worst case scenario -- you have to change your password and re-upload the pictures?
If you have a tip you would like to submit, please send it to:
webmaster@asp101.com.
