The method by which an HTTP user agent, such as a web browser, provides a username and password while making a request, in the context of an HTTP transaction, is referred to as the basic access authentication. HTTP Basic authentication (BA) implementation provides the simplest technique that is meant for enforcing access controls on web resources. This is due to the fact that it does not need session identifiers, cookies, or login pages. Standard fields are used by HTTP Basic authentication in the HTTP header. With regard to request and response messages in HTTP (Hypertext Transfer Protocol), HTTP header fields refer to the components of the header section. The operating parameters of an HTTP transaction are defined by these. Basic Authentication over an HTTP connection is used to protect one or more directories. The user credentials are sent as cleartext in Basic Authentication. Since HTTPS is not used, these are vulnerable to packet sniffing.
Confidentiality protection with regard to transmitted credentials is not provided by the BA mechanism. These are encoded with Base64 in transit and are not encrypted or hashed in any form. That is why basic authentication is used along with HTTPS to ensure confidentiality. The web browser has to cache credentials for a reasonable period of time as the BA field gets sent in the header of each HTTP request. This ensures that the user is not constantly prompted for the username and password. It needs to be mentioned that the caching policy differs between browsers.
Cached Credentials
In the context of web servers, these are used to provide the service of web hosting by web hosting service providers. Web hosting is required to make websites accessible over the Internet. The most reliable and popular web hosting service providers are usually referred to as the “Best Windows Hosting Company”, the “Top Cloud Hosting Company”, the “Best Website Hosting Company”, etc. With regard to web server, HTTP does not provide a method that can instruct the client to carry out the log out of the user. Certain methods can be used for clearing cached credentials in certain web browsers. One such method involves the redirection of the user to a URL on the same domain, using incorrect credentials intentionally. It should be mentioned here that there is inconsistency in this behaviour among various browsers and browser versions. In modern browsers, basic authentication’s cached credentials are usually cleared while the browsing history is cleared. Users are allowed by most browsers to specifically clear only credentials.
Server-Side Protocol
When it is required by the server that the user agent authenticates itself for the server, post receiving an unauthenticated request, a response needs to be sent with an HTTP 401 Unauthorized status line and a WWW-Authenticate header field. The construction of the WWW-Authenticate header field with regard to basic authentication is as follows:
WWW-Authenticate: Basic realm="User Visible Realm"
The charset parameter might be included by the server. It is indicated by this parameter that the server expects the use of UTF-8 by the client for the purpose of encoding username and password.
WWW-Authenticate: Basic realm="User Visible Realm", charset="UTF-8"
Client-Side Protocol
The Authorization header field might be used by the user agent when it wants to send authentication credentials to the server. The construction of the Authorization header field is as follows:
A single colon (:) is used to combine the username and password. Hence, a colon cannot be present in the username. It is an octet sequence into which the resulting string is encoded. By default, the character set that has to be used for this encoding is unspecified till it is compatible with US-ASCII. However, the use of UTF-8 might be suggested by the server. This is done by sending the charset parameter. A variant of Base64 (+/ and with padding) is used to encode the resulting string. Next, a space and the authorization method are prepended to the encoded string.
Comments