undefined | Better HN

0 pointshakre3y ago0 comments

Well if you already execute an application server like Apache, you should handle auth&z in there. Would be stupid to let PHP deal with it. Or would you handle the TLS termination as well in the PHP script? Well just like that. Perhaps the mistake was to do it otherwise.

0 comments

1 comments · 1 top-level

giantrobot3y ago

The HTTP server/proxy is only going to handle TLS termination. It can also handle basic resource authentication in a pinch. But for all other auth tasks need to be done by the application. Just because a user can access a URL doesn't mean they have access to a particular row in a database or write access or something. The user data may not even live locally and be provided by an external provider which is also beyond the scope of the HTTP server.

I don't know why you would think it's the HTTP front end's job to do any of that. It's all clearly the domain of the back end application.

j / k navigate · click thread line to collapse