fbpx
Wikipedia

Basic access authentication

January 01, 1970

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where <credentials> is the Base64 encoding of ID and password joined by a single colon :.

It was originally implemented by Ari Luotonen at CERN in 1993[1] and defined in the HTTP 1.0 specification in 1996.[2] It is specified in RFC 7617 from 2015, which obsoletes RFC 2617 from 1999.

Features edit

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header.

Security edit

The BA mechanism does not provide confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit and not encrypted or hashed in any way. Therefore, basic authentication is typically used in conjunction with HTTPS to provide confidentiality.

Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers.

HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.[3] Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials:[4] 

<script>document.execCommand('ClearAuthenticationCache');</script>

In modern browsers, cached credentials for basic authentication are typically cleared when clearing browsing history. Most browsers allow users to specifically clear only credentials, though the option may be hard to find, and typically clears credentials for all visited sites.[5][6]

Brute forcing credentials is not actively prevented or detected (unless a server-side mechanism is used).

Protocol edit

Server side edit

When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with a HTTP 401 Unauthorized status line[7] and a WWW-Authenticate header field.[8]

The WWW-Authenticate header field for basic authentication is constructed as following:

WWW-Authenticate: Basic realm="User Visible Realm"

The server may choose to include the charset parameter from RFC 7617:[3]

WWW-Authenticate: Basic realm="User Visible Realm", charset="UTF-8"

This parameter indicates that the server expects the client to use UTF-8 for encoding username and password (see below).

Client side edit

When the user agent wants to send authentication credentials to the server, it may use the Authorization header field.

The Authorization header field is constructed as follows:[9]

  1. The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.
  2. The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the charset parameter.[9]
  3. The resulting string is encoded using a variant of Base64 (+/ and with padding).
  4. The authorization method and a space character (e.g. "Basic ") is then prepended to the encoded string.

For example, if the browser uses Aladdin as the username and open sesame as the password, then the field's value is the Base64 encoding of Aladdin:open sesame, or QWxhZGRpbjpvcGVuIHNlc2FtZQ==. Then the Authorization header field will appear as:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

See also edit

References and notes edit

  1. ^ Luotonen, Ari (10 September 2022). "Announcing Access Authorization Documentation". www-talk@w3.org (Mailing list). Retrieved 7 February 2022.
  2. ^ "Hypertext Transfer Protocol -- HTTP/1.0". www.w3.org. W3C. 19 February 1996. Retrieved 7 February 2022.
  3. ^ a b "Is there a browser equivalent to IE's ClearAuthenticationCache?". StackOverflow. Retrieved March 15, 2013.
  4. ^ "IDM_CLEARAUTHENTICATIONCACHE command identifier". Microsoft. Retrieved March 15, 2013.
  5. ^ "540516 - Usability: Allow users to clear HTTP Basic authentication details ('Logout')". bugzilla.mozilla.org. Retrieved 2020-08-06. Clear Recent History->Active Logins (in the details) is used to clear the authentication.
  6. ^ "Clear browsing data - Computer - Google Chrome Help". support.google.com. Retrieved 2020-08-06. Data that can be deleted[...]Passwords: Records of passwords you saved are deleted.
  7. ^ "RFC 1945 Section 11. Access Authentication". IETF. May 1996. p. 46. Retrieved 3 February 2017.
  8. ^ Fielding, Roy T.; Berners-Lee, Tim; Henrik, Frystyk. "Hypertext Transfer Protocol -- HTTP/1.0". tools.ietf.org.
  9. ^ a b Reschke, Julian. "The 'Basic' HTTP Authentication Scheme". tools.ietf.org.

External links edit

  • "RFC 7235 - Hypertext Transfer Protocol (HTTP/1.1): Authentication". Internet Engineering Task Force (IETF). June 2014..

January 01, 1970
basic, access, authentication, context, http, transaction, basic, access, authentication, method, http, user, agent, browser, provide, user, name, password, when, making, request, basic, http, authentication, request, contains, header, field, form, authorizati. In the context of an HTTP transaction basic access authentication is a method for an HTTP user agent e g a web browser to provide a user name and password when making a request In basic HTTP authentication a request contains a header field in the form of Authorization Basic lt credentials gt where lt credentials gt is the Base64 encoding of ID and password joined by a single colon It was originally implemented by Ari Luotonen at CERN in 1993 1 and defined in the HTTP 1 0 specification in 1996 2 It is specified in RFC 7617 from 2015 which obsoletes RFC 2617 from 1999 Contents 1 Features 2 Security 3 Protocol 3 1 Server side 3 2 Client side 4 See also 5 References and notes 6 External linksFeatures editHTTP Basic authentication BA implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies session identifiers or login pages rather HTTP Basic authentication uses standard fields in the HTTP header Security editThe BA mechanism does not provide confidentiality protection for the transmitted credentials They are merely encoded with Base64 in transit and not encrypted or hashed in any way Therefore basic authentication is typically used in conjunction with HTTPS to provide confidentiality Because the BA field has to be sent in the header of each HTTP request the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password Caching policy differs between browsers HTTP does not provide a method for a web server to instruct the client to log out the user However there are a number of methods to clear cached credentials in certain web browsers One of them is redirecting the user to a URL on the same domain using credentials that are intentionally incorrect However this behavior is inconsistent between various browsers and browser versions 3 Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials 4 lt script gt document execCommand ClearAuthenticationCache lt script gt In modern browsers cached credentials for basic authentication are typically cleared when clearing browsing history Most browsers allow users to specifically clear only credentials though the option may be hard to find and typically clears credentials for all visited sites 5 6 Brute forcing credentials is not actively prevented or detected unless a server side mechanism is used Protocol editServer side edit When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request it must send a response with a HTTP 401 Unauthorized status line 7 and a WWW Authenticate header field 8 The WWW Authenticate header field for basic authentication is constructed as following WWW Authenticate Basic realm User Visible Realm The server may choose to include the charset parameter from RFC 7617 3 WWW Authenticate Basic realm User Visible Realm charset UTF 8 This parameter indicates that the server expects the client to use UTF 8 for encoding username and password see below Client side edit When the user agent wants to send authentication credentials to the server it may use the Authorization header field The Authorization header field is constructed as follows 9 The username and password are combined with a single colon This means that the username itself cannot contain a colon The resulting string is encoded into an octet sequence The character set to use for this encoding is by default unspecified as long as it is compatible with US ASCII but the server may suggest use of UTF 8 by sending the charset parameter 9 The resulting string is encoded using a variant of Base64 and with padding The authorization method and a space character e g Basic is then prepended to the encoded string For example if the browser uses Aladdin as the username and open sesame as the password then the field s value is the Base64 encoding of Aladdin open sesame or QWxhZGRpbjpvcGVuIHNlc2FtZQ Then the Authorization header field will appear as Authorization Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ See also editDigest access authentication HTTP header TLS SRP an alternative if one wants to avoid transmitting a password equivalent to the server even encrypted like with TLS References and notes edit Luotonen Ari 10 September 2022 Announcing Access Authorization Documentation www talk w3 org Mailing list Retrieved 7 February 2022 Hypertext Transfer Protocol HTTP 1 0 www w3 org W3C 19 February 1996 Retrieved 7 February 2022 a b Is there a browser equivalent to IE s ClearAuthenticationCache StackOverflow Retrieved March 15 2013 IDM CLEARAUTHENTICATIONCACHE command identifier Microsoft Retrieved March 15 2013 540516 Usability Allow users to clear HTTP Basic authentication details Logout bugzilla mozilla org Retrieved 2020 08 06 Clear Recent History gt Active Logins in the details is used to clear the authentication Clear browsing data Computer Google Chrome Help support google com Retrieved 2020 08 06 Data that can be deleted Passwords Records of passwords you saved are deleted RFC 1945 Section 11 Access Authentication IETF May 1996 p 46 Retrieved 3 February 2017 Fielding Roy T Berners Lee Tim Henrik Frystyk Hypertext Transfer Protocol HTTP 1 0 tools ietf org a b Reschke Julian The Basic HTTP Authentication Scheme tools ietf org External links edit RFC 7235 Hypertext Transfer Protocol HTTP 1 1 Authentication Internet Engineering Task Force IETF June 2014 Retrieved from https en wikipedia org w index php title Basic access authentication amp oldid 1222888899, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.