The recognition of a need for authentication is not new to the web - it’s been there since the earliest standards. In fact, the original URL specification included an optional username and password as part of its format (specified as
[username]:[password]@ between the protocol and host). I.e. to make a HTTP authenticated request against the CS departmental server you might use:
However, the use of authentication URLS is now highly discouraged and has been stripped from most browsers, as it is considered a security risk. Instead, if you are using HTTP-based authentication the server needs to issue a challenge 401 Unauthorized response, along with a
WWW-Authenticate header specifying the challenge. This will prompt the browser to display a username/password form and will re-submit the request with the credentials using an
Authorization header. The process looks something like this:
As you can see, when the client makes a request that requires authentication, the server issues a 401 Unauthorized status code, along with an
prompt()). If the user supplies credentials, the request is re-sent, with those credentials included in an
Authentication header. The server then decides, based on the credentials, if it will allow the request (typically a 200 response), or refuse (a 403 Unauthorized response).
WWW-Authenticate header looks like:
WWW-Authenticate: [type] realm=[realm]
[type] is the authentication scheme (
Basic being the most common), and
realm describing the protected part of the server.
In the Basic authentication scheme, the content of the
Authorization header is the string
[username]:[password] encoded in base64, where
[username] is the users' username, and
[password] is their password.
Base64 encoding is easy to undo, so you should only use HTTP Basic Authentication with the
https protocol, which encrypts the request headers. Otherwise, anyone along the path the user’s request travels can capture and decrypt the user’s credentials.
The standard also defines other authorization schemes, but none are widely used today. Instead, most web developers have opted to build authentication directly into their web application. We’ll discuss several of the most common approaches next.