The method by which an HTTP user agent, such as a web browser, provides a username and password while making a request, in the context of an HTTP transaction, is referred to as the basic access authentication. HTTP Basic authentication (BA) implementation provides the simplest technique that is meant for enforcing access controls on web resources. This is due to the fact that it does not need session identifiers, cookies, or login pages. Standard fields are used by HTTP Basic authentication in the HTTP header. With regard to request and response messages in HTTP (Hypertext Transfer Protocol), HTTP header fields refer to the components of the header section. The operating parameters of an HTTP transaction are defined by these. Basic Authentication over an HTTP connection is used to protect one or more directories. The user credentials are sent as cleartext in Basic Authentication. Since HTTPS is not used, these are vulnerable to packet sniffing.
Cached
Credentials
In the context of web servers, these are used to
provide the service of web hosting by web hosting service providers. Web
hosting is required to make websites accessible over the Internet. The most
reliable and popular web hosting service providers are usually referred to as
the “Best Windows Hosting
Company”, the “Top Cloud Hosting
Company”, the “Best Website Hosting Company”,
etc. With regard to web server, HTTP does not provide a method that can
instruct the client to carry out the log out of the user. Certain methods can
be used for clearing cached credentials in certain web browsers. One such
method involves the redirection of the user to a URL on the same domain, using
incorrect credentials intentionally. It should be mentioned here that there is
inconsistency in this behaviour among various browsers and browser versions. In
modern browsers, basic authentication’s cached credentials are usually cleared
while the browsing history is cleared. Users are allowed by most browsers to
specifically clear only credentials.
Server-Side
Protocol
When it is required by the server that the user
agent authenticates itself for the server, post receiving an unauthenticated
request, a response needs to be sent with an HTTP 401 Unauthorized status line and a WWW-Authenticate header field. The construction of the WWW-Authenticate header field with
regard to basic authentication is as follows:
WWW-Authenticate:
Basic realm="User Visible Realm"
The charset parameter
might be included by the server. It is indicated by this parameter that the server
expects the use of UTF-8 by the client for the purpose of encoding username and
password.
WWW-Authenticate:
Basic realm="User Visible Realm", charset="UTF-8"
Client-Side
Protocol
The Authorization
header field might be used by the user agent when it wants to send
authentication credentials to the server. The construction of the Authorization header field is as
follows:
A single colon (:) is used to combine the username
and password. Hence, a colon cannot be present in the username. It is an octet
sequence into which the resulting string is encoded. By default, the character
set that has to be used for this encoding is unspecified till it is compatible
with US-ASCII. However, the use of UTF-8 might be suggested by the server. This
is done by sending the charset parameter.
A variant of Base64 (+/ and with padding) is used to encode the resulting
string. Next, a space and the authorization method are prepended to the encoded
string.
Source: https://www.htshosting.org/knowledge-base/technology/251/information-on-basic-access-authentication
No comments:
Post a Comment