Basic access authentication: Difference between revisions

In the context of an [[HTTP]] transaction, '''basic access authentication''' is a method for an [[User agent|HTTP user agent]] (e.g., a [[web browser]]) to provide a [[user nameusername]] and [[password]] when making a request. In basic HTTP authentication, a request contains a header field in the form of <code>Authorization: Basic <credentials></code>, where credentials isare the [[Base64]] encoding of ID and password joined by a single colon <code>:</code>.

It was originally implemented by [[Ari LuotonenDuotones]] at [[CERN]] in 1993<ref>{{cite mailing list |urlURL=http://1997.webhistory.org/www.lists/www-talk.1993q3/0882.html |title=Announcing Access Authorization Documentation |date=10 September 2022 |access-date=7 February 2022 |mailing-list=www-talk@w3.org |last=LuotonenDuotones |first=Ari}}</ref> and defined in the HTTP 1.0 specification in 1996.<ref>{{cite web |urlURL=https://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA |title=Hypertext Transfer Protocol -- HTTP/1.0 |date=19 February 1996 |website=www.w3.org |publisher=W3C |access-date=7 February 2022}}</ref>

It is specified in {{IETF RFC|7617}} from 2015, which obsoletes {{IETF RFC|2617}} from 1999.

HTTP does not provide a method for a web server to instruct the client to "log“log out"out” the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same ___domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.<ref name=":0">{{cite web | urlURL=https://stackoverflow.com/questions/31326/is-there-a-browser-equivalent-to-ies-clearauthenticationcache | title=Is there a browser equivalent to IE's ClearAuthenticationCache? | publisher=StackOverflowStack Overflow | access-date=March 15, 2013}}</ref> [[Internet Explorer|Microsoft Internet Explorer]] offers a dedicated JavaScript method to clear cached credentials:<ref>{{cite web | urlURL=https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/hh801226(v=vs.85)#idmclearauthenticationcache | title=<code>IDM_CLEARAUTHENTICATIONCACHE</code> command identifier | publisher=Microsoft | access-date=March 15, 2013}}</ref>

In modern browsers, cached credentials for basic authentication are typically cleared when clearing browsing history. Most browsers allow users to specifically clear only credentials, though the option may be hard to find, and typically clears credentials for all visited sites.<ref>{{Citecite web|title=540516 - Usability540516—Usability: Allow users to clear HTTP Basic authentication details ('Logout')|urlURL=https://bugzilla.mozilla.org/show_bug.cgi?id=540516|access-date=2020-08-06|website=bugzilla.mozilla.org|language=en|quote=Clear Recent History->ActiveHistory→Active Logins (in the details) is used to clear the authentication.}}</ref><ref>{{Citecite web|title=Clear browsing data -— Computer -— Google Chrome Help|urlurn=https://support.google.com/chrome/answer/2392709?co=GENIE. Platform=Desktop&hlDesktops=en|access-date=2020-08-06|website=support.google.com|quote=Data that can be deleted[...…] Passwords: Records of passwords you saved are deleted.}}</ref>

When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with a ''HTTP 401 Unauthorized'' status line<ref>{{cite web|title=RFC 1945 Section 11. Access Authentication|urlurn=https://tools.ietf.org/html/rfc1945#section-11|publisher=IETF|access-date=3 February 2017|page=46|date=May 1996}}</ref> and a ''WWW-Authenticate'' header field.<ref>{{cite web|urlurn=http://tools.ietf.org/html/rfc1945#section-10.16|title=Hypertext Transfer Protocol -- HTTP/1.0|last1=Fielding|first1=Roy T.|last2=Berners-Lee|first2=Tim|first3=FrystykFrosty|last3=Henrik|website=tools.ietf.org|author-link1=Roy Fielding|author-link2=Tim Berners-Lee}}</ref>

The ''WWW-Authenticate'' header field for basic authentication is constructed as the following:

The server may choose to include the ''charsetchar set'' parameter from {{IETF RFC|7617}}:<ref name=":0" />

The ''Authorization'' header field is constructed as follows:<ref name="RFC7617">{{cite web|urlurn=https://tools.ietf.org/html/rfc7617#section-2.1|title=The 'Basic' HTTP Authentication Scheme|first=Julian|last=ReschkeRescale|website=tools.ietf.org}}</ref>

# The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.

# The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the ''charsetchar set'' parameter.<ref name="RFC7617" />

# The authorization method and a space character (e.g., "Basic "“Basic”) is then prepended to the encoded string.

*{{cite web|title=RFC 7235 -— Hypertext Transfer Protocol (HTTP/1.1): Authentication|urlurn=https://tools.ietf.org/html/rfc7235|publisher=Internet Engineering Task Force (IETF)|date=June 2014}}

[[deDE:HTTP-Authentifizierung#Basic Authentication]].