security issues exist with the various authentication methods:
Each authentication method (basic, ntlm,
cookie, ISAPI) has
For basic authentication username and password details are sent in plain
text. If you are using NT users this can cause further troubles because
if this information is discovered the user may have the ability to change
files on the server. This can be enhanced through the use of SSL
however there is a performance penalty and cost for obtaining and
maintaining a certificate.
provides enhanced security over basic authentication at the cost of compatibility,
users must be using Internet Explorer for their browser.
Cookie authentication has the same issue as basic authentication but only
for the login form. You should use SSL for the login form but from
that point on the session is tracked with a single cookie and that cookie
does not contain any username or password details. In contrast, with
basic authentication the userid and password are sent with each request.
an ISAPI filter you control how security is implemented. Commercial
solutions provide options for encrypted cookies which have the advantage
of cookie login without requiring sessions. They can also be used
with basic authentication and keep users separate from the NT user
base. Commercial products also can provide enhanced quota and
tracking features to prevent password cracking and account abuse (e.g.
duplicate logins using the same userid)