htaccess password protect website

[tyutghf]

My company wish to place a section of the intranet on our external server and only allow staff access.

They are happy with one password for all users which they will change every month so htaccess is probably a good option for this.

What they are worried about is security of this section, they are adamant they want it external so staff can access from anywhere but prevent it being hacked.

I've searched but not found an answer to htaccess password protection security. Could I ask some questions please?

1. Will htaccess password protection simply allow a user to brute force it or will it prevent access after say 3 failed tries?
2. Does it request the password on each visit or can we use cookies to remember a user (expires 30 days)
3. Is htaccess the best route for this or should I create a php login form?

Thanks

 

[feherke]

Hi

Actually "htaccess password protection" is called HTTP Authentication, you may find more relevant documentation with that name. There are actually two such authentication methods, the basic and the digest, but none of them uses cookies. And as far as I know, there is no way to limit the authentication's validity. And neither the maximum failed login attempts. HTTP authentication is handled by the browser and credential once entered, the browser will just send it with each request for basic and each time the server requires for digest method.

HTTP authentication is great for protecting static content. Easy, cheap, includes authenticated user name in logs, successfully handled by download tools. But it may be too rigid for certain cases.


Feherke.
feherke.ga