Basic access authentication: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 09:25, 4 November 2024 edit SkyLined (talk \| contribs) Extended confirmed users, Pending changes reviewers 4,626 edits →External links: Update RFC link to 7617, which is obsoletes the previous link ← Previous edit		Latest revision as of 20:05, 24 August 2025 edit undo 83.135.9.17 (talk) →Protocol: improved style Tags: Mobile edit Mobile app edit Android app edit App section source
(21 intermediate revisions by 12 users not shown)
Line 1: {{Short description\|Access control method for the HTTP network communication protocol}} {{HTTP}} In the context of an [[HTTP]] transaction, '''basic access authentication''' is a method for an [[User Agent Profiling\|HTTP user agent]] (e.g. a [[web browser]]) to provide a [[user name]] and [[password]] when making a request. In basic HTTP authentication, a request contains a header field in the form of <code>Authorization: Basic <<credentials></code>, where <code><<credentials></code> is the [[Base64]] encoding of ID and password joined by a single colon <code>:</code>. It was originally implemented by [[Ari Luotonen]] at [[CERN]] in 1993<ref>{{cite mailing list \|url=http://1997.webhistory.org/www.lists/www-talk.1993q3/0882.html \|title=Announcing Access Authorization Documentation \|date=10 September 2022 \|access-date=7 February 2022 \|mailing-list=www-talk@w3.org \|last=Luotonen \|first=Ari}}</ref> and defined in the HTTP 1.0 specification in 1996.<ref>{{cite web \|url=https://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA \|title=Hypertext Transfer Protocol -- HTTP/1.0 \|date=19 February 1996 \|website=www.w3.org \|publisher=W3C \|access-date=7 February 2022}}</ref> Line 13 ⟶ 14: Because the BA field has to be sent in the header of each HTTP request, the web browser needs to [[Cache (computing)\|cache]] credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same ___domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.<ref name=":0">{{cite web \| url=https://stackoverflow.com/questions/31326/is-there-a-browser-equivalent-to-ies-clearauthenticationcache \| title=Is there a browser equivalent to IE's ClearAuthenticationCache? \| publisher=StackOverflow \| access-date=March 15, 2013}}</ref>{{Better source needed\|reason=The current source is user-generated and is insufficiently reliable ([[WP:NOTRS]]).\|date=March 2025}} [[Internet Explorer\|Microsoft Internet Explorer]] offers a dedicated JavaScript method to clear cached credentials:<ref>{{cite web \| url=https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/hh801226(v=vs.85)#idmclearauthenticationcache \| title=<code>IDM_CLEARAUTHENTICATIONCACHE</code> command identifier \| publisher=Microsoft \| access-date=March 15, 2013}}</ref> <syntaxhighlight lang="html"> Line 26 ⟶ 27: === Server side === When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with a ''HTTP 401 Unauthorized'' status line<ref>{{cite ~~web~~IETF\|~~title~~rfc=~~RFC~~ 1945 ~~Section~~\|section =11. \|title=Access Authentication\|~~url=https://tools.ietf.org/html/rfc1945#section-11\|publisher=IETF~~\|access-date=3 February 2017\|page=46\|date=May 1996 \|publisher = [[Internet Engineering Task Force]]}}</ref> and a ''WWW-Authenticate'' header field.<ref>{{cite ~~web~~IETF\|~~url~~rfc=~~http://tools.ietf.org/html/rfc1945#~~1945\|section-=10.16\|title=Hypertext Transfer Protocol -- HTTP/1.0\|last1=Fielding\|first1=Roy T.\|last2=Berners-Lee\|first2=Tim\|first3=Frystyk\|last3=Henrik~~\|website=tools.ietf.org~~\|author-link1=Roy Fielding\|author-link2=Tim Berners-Lee\|publisher = Internet Engineering Task Force}}</ref> The ''WWW-Authenticate'' header field for basic authentication is constructed as following: Line 45 ⟶ 46: When the user agent wants to send authentication credentials to the server, it may use the ''Authorization'' header field. The ''Authorization'' header field is constructed as follows:<ref name="RFC7617">{{cite ~~web~~IETF\|~~url~~rfc=~~https://tools.ietf.org/html/rfc7617#~~7617\|section-=2.1\|title=The 'Basic' HTTP Authentication Scheme\|first=Julian\|last=Reschke\|~~website~~publisher =~~tools.ietf.org~~ Internet Engineering Task Force}}</ref> # The username and password are combined with a single colon ({{code\|:}}). This means that the username itself cannot contain a colon. # The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest the use of UTF-8 by sending the ''charset'' parameter.<ref name="RFC7617" /> # The resulting string is encoded using a variant of Base64 (+/ and with padding). Line 57 ⟶ 58: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== </code> <syntaxhighlight lang="python"> 'Basic ' + base64.b64encode(f"{<clientid>}:{<client secret key>}".encode()).decode() </syntaxhighlight> == See also == Line 67 ⟶ 72: ==External links== *{{cite ~~web~~IETF\|title=~~RFC 7617 -~~ The 'Basic' HTTP Authentication Scheme\|~~url~~rfc=~~https://datatracker.ietf.org/doc/html/rfc7617~~7617\|date=September 2015\|publisher=[[Internet Engineering Task Force ~~(IETF)\|date=September 2015~~]]}} [[Category:Hypertext Transfer Protocol]]. [[Category:Computer access control protocols]]