Basic access authentication
| HTTP |
|---|
| Request methods |
| Header fields |
| Status codes |
| Security access control methods |
| Security vulnerabilities |
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon :.
It is specified in RFC 7617 from 2015, which obsoletes RFC 2617 from 1999.
Features[edit]
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header.
Security[edit]
The BA mechanism does not provide confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit and not encrypted or hashed in any way. Therefore, basic authentication is typically used in conjunction with HTTPS to provide confidentiality.
Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers.
HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.[1] Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials:[2]
<script>document.execCommand('ClearAuthenticationCache');</script>
In modern browsers, cached credentials for basic authentication are typically cleared when clearing browsing history. Most browsers allow users to specifically clear only credentials, though the option may be hard to find, and typically clears credentials for all visited sites.[3][4]
Protocol[edit]
Server side[edit]
When the server wants the user agent to authenticate itself towards the server, the server must respond appropriately to unauthenticated requests.
To unauthenticated requests, the server should return a response whose header contains a HTTP 401 Unauthorized status<ref>{{cite web|title=RFC 1945 Section 11. Access Authentication|url=https://tools.ietf.org/html/rfc1945#section-11%7Cpublisher=IETF%7Caccess-date=3 February 2017|page=46|date=May 1996. Roy
- field
See also[edit]
- Digest access authentication
- HTTP+HTML form-based authentication
- HTTP header
- TLS-SRP, an alternative if one wants to avoid transmitting a password-equivalent to the server (even encrypted, like with TLS).
References and notes[edit]
- ^ "Is there a browser equivalent to IE's ClearAuthenticationCache?". StackOverflow. Retrieved March 15, 2013.
- ^ "IDM_CLEARAUTHENTICATIONCACHE command identifier". Microsoft. Retrieved March 15, 2013.
- ^ "540516 - Usability: Allow users to clear HTTP Basic authentication details ('Logout')". bugzilla.mozilla.org. Retrieved 2020-08-06.
Clear Recent History->Active Logins (in the details) is used to clear the authentication.
- ^ "Clear browsing data - Computer - Google Chrome Help". support.google.com. Retrieved 2020-08-06.
Data that can be deleted[...]Passwords: Records of passwords you saved are deleted.
External links[edit]
- "RFC 7235 - Hypertext Transfer Protocol (HTTP/1.1): Authentication". Internet Engineering Task Force (IETF). June 2014..