In the context of an

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...

transaction, basic access authentication is a method for an HTTP user agent (e.g. a

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...

) to provide a

user name A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), accoun ...

and

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic , where credentials is the

Base64 In computer programming, Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a sequence of 8-bit bytes) in sequences of 24 bits that can be represented by four 6-bit Base64 digits. Common to all bina ...

encoding of ID and password joined by a single colon :. It was originally implemented by Ari Luotonen at CERN in 1993 and defined in the HTTP 1.0 specification in 1996. It is specified in from 2015, which obsoletes from 1999.

Features

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require

cookies A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chi ...

, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the

HTTP header The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, w ...

Security

The BA mechanism does not provide

confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...

protection for the transmitted credentials. They are merely encoded with

in transit and not

encrypted In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can deci ...

or hashed in any way. Therefore, basic authentication is typically used in conjunction with

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

to provide confidentiality. Because the BA field has to be sent in the header of each HTTP request, the web browser needs to

cache Cache, caching, or caché may refer to: Places United States * Cache, Idaho, an unincorporated community * Cache, Illinois, an unincorporated community * Cache, Oklahoma, a city in Comanche County * Cache, Utah, Cache County, Utah * Cache County ...

credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain, using credentials that are intentionally incorrect. However, this behavior is inconsistent between various browsers and browser versions.

Microsoft Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems (in W ...

offers a dedicated JavaScript method to clear cached credentials: In modern browsers, cached credentials for basic authentication are typically cleared when clearing browsing history. Most browsers allow users to specifically clear only credentials, though the option may be hard to find, and typically clears credentials for all visited sites.

Protocol

Server side

When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with a ''HTTP 401 Unauthorized'' status line and a ''WWW-Authenticate'' header field. The ''WWW-Authenticate'' header field for basic authentication is constructed as following:


WWW-Authenticate: Basic realm="User Visible Realm"

The server may choose to include the ''charset'' parameter from :


WWW-Authenticate: Basic realm="User Visible Realm", charset="UTF-8"

This parameter indicates that the server expects the client to use UTF-8 for encoding username and password (see below).

Client side

When the user agent wants to send authentication credentials to the server, it may use the ''Authorization'' header field. The ''Authorization'' header field is constructed as follows: # The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon. # The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the ''charset'' parameter. # The resulting string is encoded using a variant of Base64 (+/ and with padding). # The authorization method and a space character (e.g. "Basic ") is then prepended to the encoded string. For example, if the browser uses ''Aladdin'' as the username and ''open sesame'' as the password, then the field's value is the Base64 encoding of ''Aladdin:open sesame'', or ''QWxhZGRpbjpvcGVuIHNlc2FtZQ

''. Then the ''Authorization'' header field will appear as:


Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ

References and notes

External links

*{{cite web, title=RFC 7235 - Hypertext Transfer Protocol (HTTP/1.1): Authentication, url=https://tools.ietf.org/html/rfc7235, publisher=Internet Engineering Task Force (IETF), date=June 2014 Hypertext Transfer Protocol. Computer access control protocols de:HTTP-Authentifizierung#Basic Authentication.