Http Basic Authentication 的请求头Authorization的状态保存问题:见‘斜粗下划线’部分说明

Basic access authentication

From Wikipedia, the free encyclopedia

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name andpassword when making a request.

Features[edit]

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookiessession identifierand login pages. Rather, HTTP Basic authentication uses static, standard fields in the HTTP header which means that no handshakes have to be done in anticipation.

Security[edit]

The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. Basic Authentication is, therefore, typically used over HTTPS.

Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. Microsoft Internet Explorer by default caches them for 15 minutes.[1]

HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain containing credentials that are intentionally incorrect.

Unfortunately, this behavior is inconsistent between various browsers and browser versions.[2] Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials:[3]

 <script>document.execCommand('ClearAuthenticationCache', 'false');</script>

Protocol[edit]

Server side[edit]

When the server wants the user agent to authenticate itself towards the server, it must respond appropriately to unauthenticated requests.

Unauthenticated requests should return a response whose header contains a HTTP 401 Not Authorized status[4] and a WWW-Authenticate field.[5]

The WWW-Authenticate field for basic authentication (used most often) is constructed as following:[6]

WWW-Authenticate: Basic realm="nmrs_m7VKmomQ2YM3:"

Client side[edit]

When the user agent wants to send the server authentication credentials it may use the Authorization field.[7]

The Authorization field is constructed as follows:[8]

  1. Username and password are combined into a string "username:password". Note that username cannot contain the ":" character.[9]
  2. The resulting string is then encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line[10]
  3. The authorization method and a space i.e. "Basic " is then put before the encoded string.

For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the field is formed as follows:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

See also[edit]

References and notes[edit]

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值