Translate

Saturday, August 4, 2018

Basic Access Authentication

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request.
It is specified in RFC 7617 from 2015, which obsoletes RFC 2617 from 1999.

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, removing the need for handshakes.

The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. Therefore, Basic Authentication is typically used in conjunction with HTTPS to provide confidentiality.
Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. Microsoft Internet Explorer by default caches them for 15 minutes.
HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain containing credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions. Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials.

When the server wants the user agent to authenticate itself towards the server, the server must respond appropriately to unauthenticated requests.
To unauthenticated requests, the server should return a response whose header contains a HTTP 401 Unauthorized status[4] and a WWW-Authenticate field.[5]
The WWW-Authenticate field for basic authentication is constructed as following:
WWW-Authenticate: Basic realm="User Visible Realm"
The server may choose to include the charset parameter from RFC 7617:
WWW-Authenticate: Basic realm="User Visible Realm" charset="UTF-8"
This parameter indicates that the server expects the client to use UTF-8 for encoding username and password.

Courtesy of Wikipedia

Cumberland Computer Services., LLC
205-467-4055
https://cumberlandcomputerservices.com/
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)