WWW-Authenticate

DRAFT
Actually the content of this page is a copy of http://en.wikipedia.org/wiki/Basic_access_authentication.

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a username and password when making a request.

Features

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifier, and login pages. Rather, HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation.

As a standard protocol, username and password for BA can be passed in URL, for example:

https://username:password@www.example.com/path

Because of this, BA is frequently used where a restricted URL needs to be accessed programmatically, especially from shell scripts or batch files.

Security

The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed in any way. Basic Authentication is, therefore, typically used over HTTPS.

Because BA header has to be sent with each HTTP request, the web browser needs to cache the credentials for a reasonable period to avoid constant prompting user for the username and password. Caching policy differs between browsers. Microsoft Internet Explorer by default caches them for 15 minutes.

While HTTP does not provide a method for a web server to instruct the browser to "log out" the user (forget cached credentials), there are a number of workarounds using specific features in various browsers. One of them is redirecting the user to an URL on the same domain containing credentials that are intentionally incorrect:

https://forget:forget@www.example.com/path

Unfortunately, this behavior is inconsistent between various browsers and browser versions. Only Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials:

<script>document.execCommand('ClearAuthenticationCache', 'false');</script>

Protocol

Server side

When the server wants the user agent to authenticate itself towards the server, it can send a request for authentication.

This request should be sent using the HTTP 401 Not Authorized response code containing a WWW-Authenticate HTTP header.

The WWW-Authenticate header for basic authentication (used most often) is constructed as following:

WWW-Authenticate: Basic realm="insert realm"

Client side

When the user agent wants to send the server authentication credentials it may use the Authorization header.

The Authorization header is constructed as follows:

  1. Username and password are combined into a string "username:password".
  2. The resulting string literal is then encoded using Base64.
  3. The authorization method and a space, i.e. "Basic " is then put before the encoded string.

For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the header is formed as follows:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

See also

References and notes

 

Document Tags and Contributors

Contributors to this page: Sheppy
Last updated by: Sheppy,