Revision as of 20:15, 30 May 2006 edit Lee J Haywood (talk \| contribs) 1,797 edits m SSL is obsolete - removed unnecessary reference to it, and encrypted connections aren't strictly necessary ← Previous edit		Revision as of 20:17, 30 May 2006 edit undo Lee J Haywood (talk \| contribs) 1,797 edits m may be found used -> may sometimes be used Next edit →
Line 3: To prevent the user name and password being read directly by a person, they are encoded as a sequence of [[Base64\|base-64]] characters before transmission. For example, the user name <tt>"Aladdin"</tt> and password <tt>"open sesame"</tt> would be combined as <tt>"Aladdin:open sesame"</tt> – which is equivalent to <tt>QWxhZGRpbjpvcGVuIHNlc2FtZQ==</tt> when encoded in base-64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly", so an [[encryption\|encrypted]] connection should always be used to prevent interception. One advantage of the basic authentication scheme is that it is supported by almost all popular web browsers. It is rarely used on normal [[Internet]] [[Website\|web sites]] but may besometimes ~~found~~be used by small, private systems. A later mechanism, [[digest access authentication]], was developed in order to replace the basic authentication scheme and enable credentials to be passed in a relatively secure manner over an otherwise insecure channel. The basic authentication scheme was originally defined by RFC 1945 (''Hypertext Transfer Protocol – HTTP/1.0'') although further information regarding security issues may be found in RFC 2616 (''Hypertext Transfer Protocol – HTTP/1.1'') and RFC 2617 (''HTTP Authentication: Basic and Digest Access Authentication'').

Basic access authentication: Difference between revisions