Revision as of 18:05, 19 October 2007 edit Rjgodoy (talk \| contribs) 1,862 edits m RFC 2616 default reason phrase for 401 is "UNAUTHORIZED" ← Previous edit		Revision as of 23:09, 1 January 2008 edit undo JordanHenderson (talk \| contribs) 188 edits What's a 'normal' web site. I think 'publicly accessible' is better here. Next edit →
Line 3: To prevent the user name and password being read directly by a person, they are encoded as a sequence of [[Base64\|base-64]] characters before transmission. For example, the user name <tt>"Aladdin"</tt> and password <tt>"open sesame"</tt> would be combined as <tt>"Aladdin:open sesame"</tt> – which is equivalent to <tt>QWxhZGRpbjpvcGVuIHNlc2FtZQ==</tt> when encoded in base-64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly", so an [[encryption\|encrypted]] connection should always be used to prevent interception. One advantage of the basic access authentication is that it is supported by almost all popular web browsers. It is rarely used on ~~normal~~publicly accessible [[Internet]] [[Website\|web sites]] but may sometimes be used by small, private systems. A later mechanism, [[digest access authentication]], was developed in order to replace the basic access authentication and enable credentials to be passed in a relatively secure manner over an otherwise insecure channel. The basic access authentication was originally defined by RFC 1945 (''Hypertext Transfer Protocol – HTTP/1.0'') although further information regarding security issues may be found in RFC 2616 (''Hypertext Transfer Protocol – HTTP/1.1'') and RFC 2617 (''HTTP Authentication: Basic and Digest Access Authentication'').

Basic access authentication: Difference between revisions