Basic access authentication
|Security access control methods|
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of
Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header.
The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. Therefore, basic authentication is typically used in conjunction with HTTPS to provide confidentiality.
Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. Microsoft Internet Explorer caches the credentials for fifteen minutes by default.
In modern browsers, cached credentials for basic authentication are typically cleared when clearing browsing history. Most browsers allow users to specifically clear only credentials, though the option may be hard to find, and typically clears credentials for all visited sites.
When the server wants the user agent to authenticate itself towards the server, the server must respond appropriately to unauthenticated requests.
The WWW-Authenticate field for basic authentication is constructed as following:
WWW-Authenticate: Basic realm="User Visible Realm"
WWW-Authenticate: Basic realm="User Visible Realm", charset="UTF-8"
This parameter indicates that the server expects the client to use UTF-8 for encoding username and password (see below).
When the user agent wants to send authentication credentials to the server, it may use the Authorization field.
The Authorization field is constructed as follows:
- The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.
- The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the charset parameter.
- The resulting string is encoded using a variant of Base64.
- The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string.
For example, if the browser uses Aladdin as the username and OpenSesame as the password, then the field's value is the Base64 encoding of Aladdin:OpenSesame, or QWxhZGRpbjpPcGVuU2VzYW1l. Then the Authorization header will appear as:
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
A client may avoid a login prompt when accessing a basic access authentication by prepending
username:password@ to the hostname in the URL. For example, the following would access the page index.html at the web site www.example.com with the secure HTTPS protocol and provide the username Aladdin and the password OpenSesame credentials via basic authorization:
This has been deprecated by RFC 3986: Use of the format "user:password" in the userinfo field is deprecated. Modern browsers therefore no longer support URL encoding of basic access credentials. This prevents passwords from being sent and seen prominently in plain text, and also eliminates (potentially deliberately) confusing URLs like
which would query the host example.com, not google.com.
- Digest access authentication
- HTTP+HTML form-based authentication
- HTTP header
- TLS-SRP, an alternative if one wants to avoid transmitting a password-equivalent to the server (even encrypted, like with TLS).
References and notes
- "Basic Authentication". Microsoft. 2005. Retrieved October 17, 2014.
- "Is there a browser equivalent to IE's ClearAuthenticationCache?". StackOverflow. Retrieved March 15, 2013.
- "IDM_CLEARAUTHENTICATIONCACHE command identifier". Microsoft. Retrieved March 15, 2013.
- "540516 - Usability: Allow users to clear HTTP Basic authentication details ('Logout')". bugzilla.mozilla.org. Retrieved 2020-08-06.
Clear Recent History->Active Logins (in the details) is used to clear the authentication.
- "Clear browsing data - Computer - Google Chrome Help". support.google.com. Retrieved 2020-08-06.
Data that can be deleted[...]Passwords: Records of passwords you saved are deleted.
- "RFC 1945 Section 11. Access Authentication". IETF. May 1996. p. 46. Retrieved 3 February 2017.
- Fielding, Roy T.; Berners-Lee, Tim; Henrik, Frystyk. "Hypertext Transfer Protocol -- HTTP/1.0". tools.ietf.org.
- Reschke, Julian. "The 'Basic' HTTP Authentication Scheme". tools.ietf.org.
- "RFC 3986". ietf.org. Retrieved 2017-02-12.
- "82250 - HTTP username:password stripped out from links - chromium - Monorail". bugs.chromium.org. Retrieved 2016-12-07.
- "RFC 7235 - Hypertext Transfer Protocol (HTTP/1.1): Authentication". Internet Engineering Task Force (IETF). June 2014..