| HTTP |
|---|
 |
| Request methods |
| Header fields |
| Response status codes |
| Security access control methods |
| Security vulnerabilities |
In the context of anHTTP transaction,basic access authentication is a method for anHTTP user agent (e.g. aweb browser) to provide auser name andpassword when making a request. In basic HTTP authentication, a request contains a header field in the form ofAuthorization: Basic <credentials>, where<credentials> is theBase64 encoding of ID and password joined by a single colon:.
It was originally implemented byAri Luotonen atCERN in 1993[1] and defined in the HTTP 1.0 specification in 1996.[2]It is specified inRFC 7617 from 2015, which obsoletesRFC 2617 from 1999.
HTTP Basic authentication (BA) implementation is the simplest technique for enforcingaccess controls to web resources because it does not requirecookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in theHTTP header.
The BA mechanism does not provideconfidentiality protection for the transmitted credentials. They are merely encoded withBase64 in transit and notencrypted orhashed in any way. Therefore, basic authentication is typically used in conjunction withHTTPS to provide confidentiality.
Because the BA field has to be sent in the header of each HTTP request, the web browser needs tocache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers.
HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.[3][better source needed]Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials:[4]
<script>document.execCommand('');</script>
In modern browsers, cached credentials for basic authentication are typically cleared when clearing browsing history. Most browsers allow users to specifically clear only credentials, though the option may be hard to find, and typically clears credentials for all visited sites.[5][6]
Brute forcing credentials is not actively prevented or detected (unless a server-side mechanism is used).
When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with aHTTP 401 Unauthorized status line[7] and aWWW-Authenticate header field.[8]
TheWWW-Authenticate header field for basic authentication is constructed as following:
WWW-Authenticate: Basic realm="User Visible Realm"
The server may choose to include thecharset parameter fromRFC 7617:[3]
WWW-Authenticate: Basic realm="User Visible Realm", charset="UTF-8"
This parameter indicates that the server expects the client to use UTF-8 for encoding username and password (see below).
When the user agent wants to send authentication credentials to the server, it may use theAuthorization header field.
TheAuthorization header field is constructed as follows:[9]
:). This means that the username itself cannot contain a colon.For example, if the browser usesAladdin as the username andopen sesame as the password, then the field's value is the Base64 encoding ofAladdin:open sesame, orQWxhZGRpbjpvcGVuIHNlc2FtZQ==. Then theAuthorization header field will appear as:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
'Basic '+base64.b64encode(f"{<clientid>}:{<clientsecretkey>}".encode()).decode()
IDM_CLEARAUTHENTICATIONCACHE command identifier". Microsoft. RetrievedMarch 15, 2013.Clear Recent History->Active Logins (in the details) is used to clear the authentication.
Data that can be deleted[...]Passwords: Records of passwords you saved are deleted.