Overview#

In the context of an HTTP transaction, Basic Access Authentication is a method for an HTTP user agent to provide a user name and password when making a request.

HTTP Basic authentication implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifier and login pages. Rather, HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation.

When the user-agent wants to send the server authentication credentials it may use the Authorization header.[1]

Server side#

When the server wants the user agent to authenticate itself towards the server, it must respond appropriately to unauthenticated requests.

Unauthenticated requests should return a response whose header contains a HTTP 401 Not Authorized status and a WWW-Authenticate field.

The WWW-Authenticate HTTP Header Field for basic authentication (used most often) is constructed as following:

WWW-Authenticate: Basic realm="nmrs_m7VKmomQ2YM3:"

Client side#

When the user-agent wants to send the server authentication credentials it may use the Authorization field. The Authorization field is constructed as follows:

Username and password are combined into a string "username:password". Note that username cannot contain the ":" character.

The resulting string is then encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line.

The authorization method and a space i.e. "Basic " is then put before the encoded string.

For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the field is formed as follows:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 01-Jul-2016 14:14 by jim