HTTP Basic Auth:
- Client sends username / password in clear text
- should be used only with HTTPS (SSL)
HTTP Digest:
- Client sends hashed form of the password to the server
- should be used over HTTP (SSL0
- Caution: Although the password cannot be captured, it can be replayed.
HTTP Basic Auth - details:
- If a server gets a anonymous request for a protected resource, it can immediately reject the request with a 401 (access denied) code, and setting the WWW-authenticate response header as shown below.
- Web browser will display a login dialog when this response is received.
- User / password is entered
- browser sedn all the info back to the server
GET /securefiles/ HTTP/1.1
Host: www.httpwatch.com
Authorization: Basic aHR0cHdhdGNoOmY=
- The authorization value “
aHR0cHdhdGNoOmY=” is simply the base 64 encoded version of username:password
No comments:
Post a Comment