Jump to content

Basic access authentication: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
No edit summary
Tags: Visual edit Mobile edit Mobile web edit
Add WWW-Authenticate example
Line 25: Line 25:


The ''WWW-Authenticate'' field for basic authentication (used most often) is constructed as following:
The ''WWW-Authenticate'' field for basic authentication (used most often) is constructed as following:

WWW-Authenticate: Basic realm="User Visible Realm"


=== Client side ===
=== Client side ===

Revision as of 09:53, 9 May 2016

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request.

Features

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.

Security

The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred used in conjunction with Basic Authentication.

Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. Microsoft Internet Explorer by default caches them for 15 minutes.[1]

HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain containing credentials that are intentionally incorrect.

Unfortunately, this behavior is inconsistent between various browsers and browser versions.[2] Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials:[3]

 <script>document.execCommand('ClearAuthenticationCache', 'false');</script>

Protocol

Server side

When the server wants the user agent to authenticate itself towards the server, it must respond appropriately to unauthenticated requests.

Unauthenticated requests should return a response whose header contains a HTTP 401 Unauthorized status[4] and a WWW-Authenticate field.[5]

The WWW-Authenticate field for basic authentication (used most often) is constructed as following:

WWW-Authenticate: Basic realm="User Visible Realm"

Client side

When the user agent wants to send the server authentication credentials it may use the Authorization field.[6]

The Authorization field is constructed as follows:[7][8][9]

  1. The username and password are combined
  2. The resulting string is encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line.
  3. The authorization method and a space i.e. "Basic " is then put before the encoded string.

For example, if the user agent uses Aladdin as the username and OpenSesame as the password then the field is formed as follows:

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

URL encoding

A client may avoid a login prompt when accessing a basic access authentication by prepending username:password@ to the hostname in the url. For example, the following would access the page index.html at the web site www.example.com with the secure HTTPS protocol and provide the username Aladdin and the password OpenSesame credentials via basic authorization:

https://Aladdin:OpenSesame@www.example.com/index.html


See also

References and notes

  1. ^ "Basic Authentication". Microsoft. 2005. Retrieved October 17, 2014.
  2. ^ "Is there a browser equivalent to IE's ClearAuthenticationCache?". StackOverflow. Retrieved March 15, 2013.
  3. ^ "IDM_CLEARAUTHENTICATIONCACHE command identifier". Microsoft. Retrieved March 15, 2013.
  4. ^ http://tools.ietf.org/html/rfc1945#section-11
  5. ^ http://tools.ietf.org/html/rfc1945#section-10.16
  6. ^ http://tools.ietf.org/html/rfc1945#section-10.2
  7. ^ http://tools.ietf.org/html/rfc1945#section-10.2
  8. ^ http://tools.ietf.org/html/rfc1945#section-11
  9. ^ http://tools.ietf.org/html/rfc1945#section-11.1