I am working on a login section for a new project, which definitely requires user authentication.
The easiest way of doing that I assume would be using the http basic authentication. I implemented it fine on the Apache server, ssl was also intorudced to provide better security.
However, one thing concerns me, that it seems the basic authentication wouldn't stop no matter how many times a user failed to provide a valid username/password crentential. It would just keep asking...
I reckon, since each time the web server receives the credential, it needs to go through the password file to look up whether a match exists or not, it takes a certain amount of server resources. My question is, would this be a security risk of having DoS attack by malicious users?
If so, how can I stop this? By adding some configuration/feature onto the Apache? Or just swap to some other authentication method? Digest Authencation?
Many thanks to the advices in advance.