Hello friends, in our previous articles we’ve discussed about Http Authentication. Now we know importance of authentication\Authorization. So this is the time now to discuss about various schema available for authentication and how these are implemented. Let’s discuss about basic authentication.
HTTP provides a general framework for access control and authentication. The most common HTTP authentication is based on “Basic” schema. This page shows an introduction to HTTP Basic authentication.
How Authentication Starts
- First HTTP client makes a request to the web server.
- Request method doesn’t has to be GET it can be any method.
- If web server sees that the requested resource need authentication to access then it sends backs 401 unauthorized status code along with WWW-Authenticate header.
- Then client displays a dialog box to take username and password as input.
- Once the credentials has been enter the client sends it using the Authorization header.
- If the credentials are correct then server responds with 200 status code and Authentication-Info header.
- If client sends wrong credentials in the Authorization request then server again responds with 401 status code. The client is allowed to try again and again.
We discussed that when web server sees that the requested resource need authentication to access then it sends backs 401 unauthorized status code along with WWW-Authenticate header.
Below is the response sent by server if user is unauthenticated.
What is Realm? Let’s discuss this.
Servers use realm to group different parts of the server (assigns same realm, username and password other resources on the same and deeper level). Browser saves credentials for all realm’s. Whenever browser receives a WWW-Authenticate response with a realm already saved, it will automatically send the credentials without the knowledge of user. Browser also sends Authorization request directly to the URLs deeper than a level whose realm and credentials are known. This creates a session among the URls with same realm and also URIs deeper to a saved realm.
It is compulsory that this header will contain a realm directive. Realm is displayed in the dialog box.
Client send the request again by putting credentials in the dialog box which is displayed. Browser uses Authorization header to send this information to server. Username and password are joined together with a colon in between and then encoded using base-64 encoding method.
So if the username is “deepak” and the password is “pwd123456” than a string “deepak:pwd123456” is generated and then encoded using base64. Then this encoded result is sent to the server.
Below is the example of Authorization header.
Authorization: Basic S08tyui78ophJKL
Some organizations use proxy servers to authenticate users before allowing them to access the web server resources. The same mechanism is used by proxies to authenticate users but header and status codes are changed. Below are the changes:
- Response status 407: 407 response status code is sent instead of 401. This code is meant for proxy authentication.
- Proxy-Authenticate: Proxy-Authenticate is used instead of WWW-Authenticate.
- Proxy-Authorization: Proxy-Authorization is used instead of Authorization when credentials are sent to server.
- Proxy-Authentication-Info: Proxy-Authentication-Info is used instead of Authentication-Info.
The Authentication-Info Header Field
Sometime server return with addition information using Authentication-Info header.
HTTP authentication schemes can use the Authentication-Info response header field to return additional information applicable to the authentication currently in use.
The field value is a list of parameters (name/value pairs),
The Authentication-Info header field can be used in any HTTP response, independently of request method and status code.
Security of Basic Authentication
As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS / TLS should be used in conjunction with basic authentication. Without these additional security enhancements, basic authentication should not be used to protect sensitive or valuable information.