Preserved Topic: user authentication

I need a little direction.

I am at a stage where I need to require a login for a certain section of a website. I have done a bit of reading, and have managed to confuse myself pretty well. =)

What I would like to know is what method(s) you guys would recommend for this.
Should I use .htaccess?
Should I use a PHP script? If so, which way? I've read about ways with sending headers and using a system generated dialogue, or using html forms, and sessions, etc.

I'm not looking to have it done for me, just some suggestions on what direction I should go and why...

Thanks =)

For simplicity sake, I recommend .htaccess ...

.htaccess is simple and reliable. Plus, it presents the user with a log-in dialog that they might have seen before, so there's no confusion on their part.

As for security, I assume that's not acheivable without a secure HTTP connection, but I don't know the details about all that.

I'm not overly concerned with security - we're not dealing with credit card information, or anything sensitive like that.

I would like to be somewhat confident that people can't just walk in and screw with the database though...

I have a simple .htaccess login setup now.
Is there a way with this method to be able to output on the page the username that was used, and for a logout and all that? I don't need that, I am just curious...

Username of currently logged user is stored in "REMOTE_USER" server environmental variable. For example, in PHP you can do the following:

<?=$_SERVER["REMOTE_USER"]?>

Optionally, PHP provides two special variables for dealing with user authentication ($_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]), but more about them can be found in the manual.

The most common way (which doesn't involve any server-side scripting) of logging out is by closing web browser window where password was entered. If you want to provide a "LOGOUT" link (or similar), you'll need to write appropriate server-side script (in PHP, for example).

Thanks Max =)

on a side note, you shouldn't store the passwords on the server.
.htaccess doesn't (it does store crypted() version of them, and compares a crypt() of what the user enters with the stored value).

That way, even if someone grabs the database, she still doesn't have an easy go on the passwords (though even a md5 can be broken... in time. there are 4 billion possible md5s. you need an input that produces one. Enjoy waiting?)

The passwords are currently store in a .htpasswd file. Someone suggested that would be the way to do it