10. HTTP Authentication
HTTP supports the use of several authentication mechanisms to control access to pages and other resources. These mechanisms are all based around the use of the 401 status code and the WWW-Authenticate response header.
The most widely used HTTP authentication mechanisms are:
The client sends the user name and password as unencrypted base64 encoded text. It should only be used with HTTPS, as the password can be easily captured and reused over HTTP.
The client sends a hashed form of the password to the server. Although, the password cannot be captured over HTTP, it may be possible to replay requests using the hashed password.
This uses a secure challenge/response mechanism that prevents password capture or replay attacks over HTTP. However, the authentication is per connection and will only work with HTTP/1.1 persistent connections. For this reason, it may not work through all HTTP proxies and can introduce large numbers of network roundtrips if connections are regularly closed by the web server.
In this section, we will just discuss the Basic authentication mechanism but more detailed information about HTTP authentication can be found in RFC 2617.
10.1 Basic Authentication
If an HTTP receives an anonymous request for a protected resource it can force the use of Basic authentication by rejecting the request with a 401 (Access Denied) status code and setting the WWW-Authenticate response header as shown below:
HTTP/1.1 401 Access Denied WWW-Authenticate: Basic realm="My Server" Content-Length: 0
The word Basic in the WWW-Authenticate selects the authentication mechanism that the HTTP client must use to access the resource. The realm string can be set to any value to identify the secure area and may used by HTTP clients to manage passwords.
Most web browsers will display a login dialog when this response is received, allowing the user to enter a username and password. This information is then used to retry the request with an Authorization request header:
GET /securefiles/ HTTP/1.1 Host: www.httpwatch.com Authorization: Basic aHR0cHdhdGNoOmY=
The Authorization specifies the authentication mechanism (in this case Basic) followed by the username and password. Although, the string aHR0cHdhdGNoOmY= may look encrypted it is simply a base64 encoded version of <username>:<password>. In this example, the un-encoded string "httpwatch:foo" was used and would be readily available to anyone who could intercept the HTTP request.
Clicking the Display Image button will attempt to access an image file that uses HTTP Basic Authentication. You will need to enter httpwatch as the username and a different password every time you access the image:
Using HttpWatch with Example 10
To view the use of HTTP authentication on this page:
- Open HttpWatch by right clicking on the web page and selecting HttpWatch from the context menu
- Click on Record to start logging requests in HttpWatch
- Click on the Display Image button above
- A 401 response is received and the login dialog is displayed.
- If you enter a username of httpwatch and some unique text as the password, the request will be successfully processed with a 200 response.
- Select the Headers tab to view the use of the WWW-Authenticate and Authorize headers