Basic access authentication: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 20:22, 20 August 2023 edit 2607:fb91:2cb8:d854:2886:9bff:feaa:3d57 (talk) →Security: This is a lie Tags: Reverted Mobile edit Mobile web edit ← Previous edit		Latest revision as of 20:05, 24 August 2025 edit undo 83.135.9.17 (talk) →Protocol: improved style Tags: Mobile edit Mobile app edit Android app edit App section source
(45 intermediate revisions by 35 users not shown)
Line 1: {{Short description\|Access control method for the HTTP network communication protocol}} {{HTTP}} In the context of an [[HTTP]] transaction, '''basic access authentication''' is a method for an [[User ~~agent~~Agent Profiling\|HTTP user agent]] (e.g. a [[web browser]]) to provide a [[user name]] and [[password]] when making a request. In basic HTTP authentication, a request contains a header field in the form of <code>Authorization: Basic <<credentials></code>, where <code><credentials></code> is the [[Base64]] encoding of ID and password joined by a single colon <code>:</code>. It was originally implemented by [[Ari Luotonen]] at [[CERN]] in 1993<ref>{{cite mailing list \|url=http://1997.webhistory.org/www.lists/www-talk.1993q3/0882.html \|title=Announcing Access Authorization Documentation \|date=10 September 2022 \|access-date=7 February 2022 \|mailing-list=www-talk@w3.org \|last=Luotonen \|first=Ari}}</ref> and defined in the HTTP 1.0 specification in 1996.<ref>{{cite web \|url=https://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA \|title=Hypertext Transfer Protocol -- HTTP/1.0 \|date=19 February 1996 \|website=www.w3.org \|publisher=W3C \|access-date=7 February 2022}}</ref> Line 13 ⟶ 14: Because the BA field has to be sent in the header of each HTTP request, the web browser needs to [[Cache (computing)\|cache]] credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same ___domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.<ref name=":0">{{cite web \| url=https://stackoverflow.com/questions/31326/is-there-a-browser-equivalent-to-ies-clearauthenticationcache \| title=Is there a browser equivalent to IE's ClearAuthenticationCache? \| publisher=StackOverflow \| access-date=March 15, 2013}}</ref>{{Better source needed\|reason=The current source is user-generated and is insufficiently reliable ([[WP:NOTRS]]).\|date=March 2025}} [[Internet Explorer\|Microsoft Internet Explorer]] offers a dedicated JavaScript method to clear cached credentials:<ref>{{cite web \| url=https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/hh801226(v=vs.85)#idmclearauthenticationcache \| title=<code>IDM_CLEARAUTHENTICATIONCACHE</code> command identifier \| publisher=Microsoft \| access-date=March 15, 2013}}</ref> <syntaxhighlight lang="html"> <script>document.execCommand('~~ClearAuthenticationCache~~');</script> </syntaxhighlight> In modern browsers, cached credentials for basic authentication are typically cleared when clearing browsing history. Most browsers allow users to specifically clear only credentials, though the option may be hard to find, and typically clears credentials for all visited sites.<ref>{{Cite web\|title=540516 - Usability: Allow users to clear HTTP Basic authentication details ('Logout')\|url=https://bugzilla.mozilla.org/show_bug.cgi?id=540516\|access-date=2020-08-06\|website=bugzilla.mozilla.org\|language=en\|quote=Clear Recent History->Active Logins (in the details) is used to clear the authentication.}}</ref><ref>{{Cite web\|title=Clear browsing data - ~~Com~~Computer - Google Chrome Help\|url=https://support.google.com/chrome/answer/2392709?co=GENIE.Platform=Desktop&hl=en\|access-date=2020-08-06\|website=support.google.com\|quote=Data that can be deleted[...]Passwords: Records of passwords you saved are deleted.}}</ref> Brute forcing credentials is not actively prevented or detected (unless a server-side mechanism is used). == Protocol == === Server side === When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with a ''HTTP 401 Unauthorized'' status line<ref>{{cite ~~web~~IETF\|~~title~~rfc=~~RFC~~ 1945 ~~Section~~\|section =11. \|title=Access Authentication\|~~url=https://tools.ietf.org/html/rfc1945#section-11\|publisher=IETF~~\|access-date=3 February 2017\|page=46\|date=May 1996 \|publisher = [[Internet Engineering Task Force]]}}</ref> and a ''WWW-Authenticate'' header field.<ref>{{cite ~~web~~IETF\|~~url~~rfc=~~http://tools.ietf.org/html/rfc1945#~~1945\|section-=10.16\|title=Hypertext Transfer Protocol -- HTTP/1.0\|last1=Fielding\|first1=Roy T.\|last2=Berners-Lee\|first2=Tim\|first3=Frystyk\|last3=Henrik~~\|website=tools.ietf.org~~\|author-link1=Roy Fielding\|author-link2=Tim Berners-Lee\|publisher = Internet Engineering Task Force}}</ref> The ''WWW-Authenticate'' header field for basic authentication is constructed as following: Line 43 ⟶ 46: When the user agent wants to send authentication credentials to the server, it may use the ''Authorization'' header field. The ''Authorization'' header field is constructed as follows:<ref name="RFC7617">{{cite ~~web~~IETF\|~~url~~rfc=~~https://tools.ietf.org/html/rfc7617#~~7617\|section-=2.1\|title=The 'Basic' HTTP Authentication Scheme\|first=Julian\|last=Reschke\|~~website~~publisher =~~tools.ietf.org~~ Internet Engineering Task Force}}</ref> # The username and password are combined with a single colon ({{code\|:}}). This means that the username itself cannot contain a colon. # The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest the use of UTF-8 by sending the ''charset'' parameter.<ref name="RFC7617" /> # The resulting string is encoded using a variant of Base64 (+/ and with padding). # The authorization method and a space character (e.g. "Basic ") is then prepended to the encoded string. Line 55 ⟶ 58: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== </code> <syntaxhighlight lang="python"> 'Basic ' + base64.b64encode(f"{<clientid>}:{<client secret key>}".encode()).decode() </syntaxhighlight> == See also == Line 65 ⟶ 72: ==External links== *{{cite ~~web~~IETF\|title=~~RFC~~The ~~7235~~'Basic' ~~- Hypertext Transfer Protocol (~~HTTP~~/1.1):~~ Authentication Scheme\|~~url~~rfc=~~https://tools.ietf.org/html/rfc7235~~7617\|date=September 2015\|publisher=[[Internet Engineering Task Force ~~(IETF)\|date=June 2014~~]]}} [[Category:Hypertext Transfer Protocol]]. [[Category:Computer access control protocols]] ~~[[de:HTTP-Authentifizierung#Basic Authentication]].~~