Content deleted Content added
→Server side: and again Tags: Mobile edit Mobile web edit Advanced mobile edit |
→Protocol: improved style Tags: Mobile edit Mobile app edit Android app edit App section source |
||
| (17 intermediate revisions by 11 users not shown) | |||
Line 1:
{{Short description|Access control method for the HTTP network communication protocol}}
{{HTTP}}
In the context of an [[HTTP]] transaction, '''basic access authentication''' is a method for an [[User Agent Profiling|HTTP user agent]] (e.g. a [[web browser]]) to provide a [[user name]] and [[password]] when making a request. In basic HTTP authentication, a request contains a header field in the form of <code>Authorization: Basic <credentials></code>, where <code><credentials></code> is the [[Base64]] encoding of ID and password joined by a single colon <code>:</code>.
Line 13 ⟶ 14:
Because the BA field has to be sent in the header of each HTTP request, the web browser needs to [[Cache (computing)|cache]] credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers.
HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same ___domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.<ref name=":0">{{cite web | url=https://stackoverflow.com/questions/31326/is-there-a-browser-equivalent-to-ies-clearauthenticationcache | title=Is there a browser equivalent to IE's ClearAuthenticationCache? | publisher=StackOverflow | access-date=March 15, 2013}}</ref>{{Better source needed|reason=The current source is user-generated and is insufficiently reliable ([[WP:NOTRS]]).|date=March 2025}} [[Internet Explorer|Microsoft Internet Explorer]] offers a dedicated JavaScript method to clear cached credentials:<ref>{{cite web | url=https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/hh801226(v=vs.85)#idmclearauthenticationcache | title=<code>IDM_CLEARAUTHENTICATIONCACHE</code> command identifier | publisher=Microsoft | access-date=March 15, 2013}}</ref>
<syntaxhighlight lang="html">
Line 26 ⟶ 27:
=== Server side ===
When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with a ''HTTP 401 Unauthorized'' status line<ref>{{cite IETF|rfc= 1945 |section =11|title=Access Authentication|
The ''WWW-Authenticate'' header field for basic authentication is constructed as following:
Line 45 ⟶ 46:
When the user agent wants to send authentication credentials to the server, it may use the ''Authorization'' header field.
The ''Authorization'' header field is constructed as follows:<ref name="RFC7617">{{cite
# The username and password are combined with a single colon ({{code|:}}). This means that the username itself cannot contain a colon.
# The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest the use of UTF-8 by sending the ''charset'' parameter.<ref name="RFC7617" />
# The resulting string is encoded using a variant of Base64 (+/ and with padding).
Line 57 ⟶ 58:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
</code>
<syntaxhighlight lang="python">
'Basic ' + base64.b64encode(f"{<clientid>}:{<client secret key>}".encode()).decode()
</syntaxhighlight>
== See also ==
Line 67 ⟶ 72:
==External links==
*{{cite IETF|title=The 'Basic' HTTP Authentication Scheme|rfc=7617|date=September 2015|publisher=[[Internet Engineering Task Force]]}}
[[Category:Hypertext Transfer Protocol]]
| |||