Sunday, May 5, 2013

HTTP Basic Authentication via Web Browser

Web servers might use HTTP Basic Authentication to allow access to protected resources. This is a challenge and response mechanism.

How does the web server challenge?

When the browser sends a request to a protected resource, server sends back an HTTP 401 (Unauthorized) status code with a header:

WWW-Authenticate: Basic realm="site name"

realm is an identifier given to the protected area.

Refer following HTTP headers captured while trying to access my WiFi router's admin console :)

How does web browser respond??

Usually, when the browser receives this, it prompts the user to enter credentials. It also displays the realm name.

Upon user submit, browser sends the original request back to the server, but this time including an additional header:  

Authorization: Basic username:password

username:password is sent Base64 encoded.

Usually the browse caches this so the user doesn't have to enter the credentials all the time.


No comments: