Introduction to Basic AuthenticationBasic Access Authentication is the simplest way provided by HTTP protocol to allow an HTTP agent to provide user name and password when making an HTTP request.
It is a simple challenge-response authentication mechanism and uses standard HTTP Headers in the request / response to transfer the required data.
AdvantagesBecause its simplicity, it has the following advantages:
- No need to use sessions.
- No need to use customized login pages, because all web browsers provide a way to provide the user name and password.
Standard Basic Authentication ScenarioThis is a standard scenario of the communication between the browser and the server.
- The browser send an anonymous HTTP GET request for a web server
- The server to protect a resource, it will challenge the browser by returning the following example response:
The response has the following details:
HTTP/1.1 401 Access Denied WWW-Authenticate: Basic realm="My Server" Content-Length: 0
- HTTP Status code 401 (unauthorized)
- The "WWW-Authenticate" response header
- The previous header value should start with the word "Basic" , to indicate that it is basic authentication.
- as well the header value should have the attribute "realm" followed by an equal sign with its value. The realm will define the "partitioning" of the protection.
As you can see the browser send the previous request with no encryption at all (P.S: base64 is an encoding and not encryption), which means anybody can catch the request can decode the user name and password. and this is one of the disadvantage of basic authentication, but we can mitigate this by using SSL and HTTPS.
GET /securefiles/ HTTP/1.1 Host: www.my-server.com Authorization: Basic aHR0cHdhdGNoOmY=
Log Out of Basic AuthenticationThe caching will introduce other side effect, because The server has no way to force the client to "log out", which is a disadvantage of the basic authentication.
Unfortunately the work around for this issue is browser specific.
For other browsers, developers usually do some tricks by login with wrong credentials
See the following solutions:
These solutions are based on an HTTP protocol feature which allow a client avoid a login prompt when accessing a basic access authentication by prepending a username / password to the host name of the url.
An example of providing username / password is as follows: