Jump to content

HTTP basic authentication

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by BronzeByte (talk | contribs) at 14:33, 1 September 2012 (Created page with 'In the context of an HTTP transaction, '''basic access authentication''' is a method for a HTTP user agent to provide a user name and password wh...'). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

In the context of an HTTP transaction, basic access authentication is a method for a HTTP user agent to provide a user name and password when making a request.

Advantages

For private places HTTP Basic authentication implementation is rather easy because there don't have to be fancy pages and cookies. This is because HTTP basic authentication uses static headers which means that no handshakes have to be done in anticipation.

Programmers and system administrators sometimes use basic access authentication—in a trusted network environment—to manually test web servers using Telnet or other plain-text network tools. This is a cumbersome process, but the network traffic is human-readable for diagnostic purposes.

One other advantage of basic authentication is that it avoids the double hop authentication problem that can cause problems for protocols such as NTLM.

Disadvantages

Although the scheme is easily implemented, it relies on the assumption that the connection between the client and server computers is secure and can be trusted. Specifically, if SSL/TLS is not used, then the credentials are passed as plaintext and could be intercepted.

Existing browsers retain authentication information until the tab or browser is closed or the user clears the history.[1] HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without closing the browser or using sessions in the URL.

Protocol

Server side

When the server wants the user agent to authenticate itself towards the server, it can send an authentication request.

This request should be sent using the HTTP 401 Not Authorized response code[2] containing a WWW-Authenticate HTTP header.[3]

The WWW-Authenticate header for basic authentication (used most often) is constructed as following:[4] 

WWW-Authenticate: Basic realm="insert realm"

Client side

When the user agent wants to send the server authentication credentials it will make use of the Authorization.[5]

The Authorization header is constructed as following:[6]

  1. username and password are joined together using a colon
  2. resulting string literal is being encoded using Base64.

When the user agent would use 'Aladin' as username and 'sesam open' as password the header would like like following: 

Authorization: QWxhZGluOnNlc2FtIG9wZW4=

References and notes

  1. ^ http://www.tolaris.com/2009/09/08/logging-out-of-http-auth-with-firefox/
  2. ^ http://tools.ietf.org/html/rfc1945#section-11
  3. ^ http://tools.ietf.org/html/rfc1945#section-10.16
  4. ^ http://tools.ietf.org/html/rfc1945#section-11.1
  5. ^ http://tools.ietf.org/html/rfc1945#section-10.2
  6. ^ http://tools.ietf.org/html/rfc1945#section-10.2

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=HTTP_basic_authentication&oldid=510280758"