Http Basic Authentication 的请求头Authorization的状态保存问题:见‘斜粗下划线’部分说明
2015-08-27 00:27
681 查看
Basic access authentication
From Wikipedia, the free encyclopediaHTTP transaction, basic
access authentication is a method for an HTTP user agent to
provide a user name andpassword when
making a request.
Contents
[hide]1 Features
2 Security
3 Protocol
3.1 Server
side
3.2 Client
side
4 See
also
5 References
and notes
Features[edit]
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing accesscontrols to web resources because it doesn't require cookies, session
identifierand login pages. Rather, HTTP Basic authentication uses static, standard fields in the HTTP
header which means that no handshakes have to be done
in anticipation.
Security[edit]
The BA mechanism provides no confidentiality protectionfor the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in
any way. Basic Authentication is, therefore, typically used over HTTPS.
Because the BA field has to be sent in the header of each HTTP request, the web
browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. Microsoft
Internet Explorer by default caches them for 15 minutes.[1]
HTTP does not provide a method for a web server to instruct
the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain containing credentials that are intentionally incorrect.
Unfortunately, this behavior is inconsistent between various browsers and browser versions.[2] Microsoft
Internet Explorer offers a dedicated JavaScript method to clear cached credentials:[3]
<script>document.execCommand('ClearAuthenticationCache', 'false');</script>
Protocol[edit]
Server side[edit]
When the server wants the user agent to authenticate itself towards the server, it must respond appropriately to unauthenticated requests.Unauthenticated requests should return a response whose header contains a HTTP 401 Not Authorized status[4] and
a WWW-Authenticate field.[5]
The WWW-Authenticate field for basic authentication (used most often) is constructed as following:[6]
WWW-Authenticate: Basic realm="nmrs_m7VKmomQ2YM3:"
Client side[edit]
When the user agent wants to send the server authentication credentials it may use the Authorization field.[7]The Authorization field is constructed as follows:[8]
Username and password are combined into a string "username:password". Note that username cannot contain the ":" character.[9]
The resulting string is then encoded using the RFC2045-MIME variant of Base64,
except not limited to 76 char/line[10]
The authorization method and a space i.e. "Basic " is then put before the encoded string.
For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the field is formed as follows:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
See also[edit]
Digest access authenticationHTTP header
TLS-SRP, an alternative if one wants to avoid transmitting a password-equivalent
to the server (even encrypted, like with TLS).
References and notes[edit]
Jumpup^ "Basic
Authentication". Microsoft. 2005. Retrieved October 17, 2014.
Jump
up^ "Is
there a browser equivalent to IE's ClearAuthenticationCache?". StackOverflow. Retrieved March 15, 2013.
Jump
up^ "IDM_CLEARAUTHENTICATIONCACHE command
identifier". Microsoft. Retrieved March 15, 2013.
Jump
up^ http://tools.ietf.org/html/rfc1945#section-11
Jump
up^ http://tools.ietf.org/html/rfc1945#section-10.16
Jump
up^ http://tools.ietf.org/html/rfc1945#section-11.1
Jump
up^ http://tools.ietf.org/html/rfc1945#section-10.2
Jump
up^ http://tools.ietf.org/html/rfc1945#section-10.2
Jump
up^ http://tools.ietf.org/html/rfc2617#section-2
Jump
up^ http://tools.ietf.org/html/rfc1945#section-11
Categories:
Hypertext Transfer Protocol
Computer access control protocols
相关文章推荐
- Http Basic Authentication has some limitations, maybe nginx could do some help...
- ub 网络框架的几种线程模型
- PostgreSQL之网络地址类型
- 网络配置
- Httpd运维日志:通过apxs添加模块
- 2015年8月15-16日,杨学明老师《互联网行业市场管理与产品规划》内训在中国科学院互联网络信息中心成功举办!
- HelloX操作系统网络功能简介及使用和开发指南
- HelloX操作系统网络功能简介及使用和开发指南
- TCP实现P2P通信、TCP穿越NAT的方法、TCP打洞
- TCP/IP
- C# httpwebrequest访问HTTPS错误处理
- TCP/IP详解-坚持定时器和保活定时器
- Kids and Prizes 来源: <http://acm.hust.edu.cn/vjudge/contest/view.action?cid=85996#problem/B>
- HttpClient4.3教程
- 《HTTP权威指南》阅读笔记(九)
- 深度学习记录第一天--神经网络
- 社交网络中基于位置的影响力最大化 CIKM2015 译文
- 一个简单的HTTP代理服务器c语言实现
- http与https的区别
- ACM网络流模板 最大流ISAP URAL1774