问题
Why almost all websites out there are using cookies instead of basic auth? It can't be only that the user/pass window is ugly and none of them is more secure. They are both insecure (without https).
回答1:
To logout of a basic auth login the browser often needs to be quit entirely. This means there is no way for the server to log out the user.
I believe basic auth also has more overhead (assuming your cookie size isn't massive), but I might be wrong about that.
HTTP basic auth also sends the username and password with every request, making it potentially less secure because there is more opportunity for interception.
回答2:
You have more control over cookies. You can encrypt them so that they are secure even without HTTPS. Basic auth is always unsecure over HTTP. Also cookies don't contain the password on each request. And, yes, what can I say, users like AJAX login forms and nice animated effects when logging in which unfortunately cannot be achieved with basic auth.
回答3:
With cookies you have the complete control on when to authenticate the user, its not as soon as theres a request.
Plus you dont have to authenticate for pictures as well
Another thing is that you dont have to rely on a sysadmin for auth.
You also have the choice regarding the users repository with session.
There are other things. As you said, both are more or less secure so why not opt with flexibility? To showcase sites to clients we often use server auth as it is easy and a global solution.. for forms within apps, we use cookies.
来源:https://stackoverflow.com/questions/5052607/cookies-vs-basic-auth