Although basic authentication is not widely used anymore, but understanding it is a good idea, because some parts of it are used in other security mechanisms like JWT for example.

Introduction to Basic Authentication

Basic Access Authentication is the simplest way provided by HTTP protocol to allow an HTTP agent to provide user name and password when making an HTTP request.
It is a simple challenge-response authentication mechanism and uses standard HTTP Headers in the request / response to transfer the required data.


Because its simplicity, it has the following advantages:
  1. We don't need to use cookies.
  2. No need to use sessions.
  3. No need to use customized login pages, because all web browsers provide a way to provide the user name and password.
There are many disadvantages, which they have workarounds, and we are going to cover them while we cover its workflow between server and browser.

Standard Basic Authentication Scenario

This is a standard scenario of the communication between the browser and the server.
  1. The browser send an anonymous HTTP GET request for a web server
  2. The server to protect a resource, it will challenge the browser by returning the following example response:
  3. HTTP/1.1 401 Access Denied
    WWW-Authenticate: Basic realm="My Server"
    Content-Length: 0
    The response has the following details:
      • HTTP Status code 401 (unauthorized)
      • The "WWW-Authenticate" response header
      • The previous header value should start with the word "Basic" , to indicate that it is basic authentication.
      • as well the header value should have the attribute "realm" followed by an equal sign with its value. The realm will define the "partitioning" of the protection.
  4. When the browser received the previous response, most web browser prompt a login dialog that allow the user to enter user name and password.
  5. the browser will concatinate user name and password seperated by colon like this username:password , and then encode the result string with base64 encoding 
  6. the browser will re-send the HTTP GET, adding a HTTP header "Authorization" with the base64 string
  7. this is an example of such request:
    GET /securefiles/ HTTP/1.1
    Authorization: Basic aHR0cHdhdGNoOmY=
    As you can see the browser send the previous request with no encryption at all (P.S: base64 is an encoding and not encryption), which means anybody can catch the request can decode the user name and password. and this is one of the disadvantage of basic authentication, but we can mitigate this by using SSL and HTTPS.
  8. The web browser, and in order not to show the login dialog on every new request on that protected web site, it caches the credentials, and resubmit the Authorization header in every subsequent request.
  9. The browser keeps the cached credentials until closing the browser, or keeping the browser idle for a long time.

Log Out of Basic Authentication

The caching will introduce other side effect, because The server has no way to force the client to "log out", which is a disadvantage of the basic authentication.
Unfortunately the work around for this issue is browser specific.
For IE only, we can send this Javascript code to clear that cache:
For other browsers, developers usually do some tricks by login with wrong credentials
See the following solutions:
These solutions are based on an HTTP protocol feature which allow a client avoid a login prompt when accessing a basic access authentication by prepending a username / password to the host name of the url.
An example of providing username / password is as follows:
http://username:[email protected]