secure authentication ??

[sKunKbad]

I am working on a website for a friend who wants to be able to have a secret message page for contributors. I found this script, which is working great, but I'm wondering if it is truly secure, and if not, how can I make it more solid.

[code]<?php
if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))
    || ( $PHP_AUTH_USER != 'Us3rn4M367' ) || ( $PHP_AUTH_PW != 'Tx56g$30o0' ) ) {

    header( 'WWW-Authenticate: Basic realm="Private"' );
    header( 'HTTP/1.0 401 Unauthorized' );
    echo 'Authorization Required.';
    exit;
}
?>
<html>
    <head>
    <title>Special Access Page</title>
    </head>
    <body>
    <h1>User Authenticated!</h1>
    <p>This is the message.</p>
    <p>Hello agents,<br/>
Please let the monkey feed itself. There are no room for dice in my bag.</p>
    </body>
</html>[/code]

Thanks for your help,
sKunKbad

[Daniel0]

It is truly secure if you are sending it over an encrypted connection (SSL). That is when there is written https instead of http in the url.

[sKunKbad]

hmm... well its not an encrypted connection. I don't even know how to do that.....

[Daniel0]

You would have to ask your host to set it up for you (it will cost money) and you will need to get a certificate (more money).

[sKunKbad]

without the SSL, is this mostly secure?

I just looked in this guys hosting control panel, and SSL isn't an option. His host really bites if you ask me, but I wont name any names. I don't think he is going to want to pay for SSL. He's a bible smuggling missionary, so kinda on a low budget.

[Daniel0]

Depends. You can of course not login without the correct combination of username and password, but a third-party could intercept the data while it is being transfered from the client to the server.

[sKunKbad]

well, as long as the interceptor isn't the government of the country he is smuggling bibles into, I think he is going to be OK. Thanks for your time Daniel0.