Basic authentication of HTTP protocol

The HTTP protocol is stateless and can be identified by a cookie between the browser and the Web server. How are desktop applications (such as the Sina Desktop client, SkyDrive client) and the Web server identified?

　　Read Catalogue

1. What is HTTP Basic authentication
2. The process of HTTP Basic authentication
3. The advantages of HTTP Basic authentication
4. Every time you have to be certified
5. HTTP Basic authentication is safe to use with HTTPS
6. HTTP OAuth Authentication
7. Other Certifications
8. Use of the client

What is HTTP Basic authentication

Desktop applications also interact with the Web server via the HTTP protocol, and desktop applications generally do not use cookies, but instead place the "username + colon + password" in the header of the HTTP request with the string encrypted by the BASE64 algorithm Authorization sent to the server, this method is called HTTP Basic authentication (Basic authentication)

When a browser accesses a website that uses basic authentication, the browser prompts you for a user name and password, such as

If the user name password is incorrect, the server will return 401 as

The process of HTTP Basic authentication

The first step: The client sends an HTTP request to the server,

Step two: Because the request does not contain the authorization header, the server returns a 401 unauthozied to the client and adds information to the response header "Www-authenticate".

The third step: the client to the user name and password with BASE64 encryption, placed in the authorization header sent to the server, authentication success.

The fourth step: the server will authorization header of the user name password out, to verify, if the authentication through, according to the request, send resources to the client

Using the Auth tab under Fiddler inspectors, you can easily see the user name and password:

The advantages of HTTP Basic authentication

HTTP Basic authentication, simple and clear. The Rest API is often used for basic authentication.

Every time you have to be certified

The HTTP protocol is stateless and requires authentication for each request from the same client to the server.

HTTP Basic Authentication and HTTPS

The "User name + colon + password" with BASE64 encrypted string although with the naked eye can not be seen, but the program is easy to decrypt, you see Fiddler directly to decrypt. So HTTP request on the network, if the use of HTTP transmission is very insecure. Generally will be used HTTPS transmission, HTTPS is encrypted, so it is more secure.

HTTP oauth authentication OAuth for HTTP, it is not the user name password that is placed in the authorization header, but a token. Microsoft's SkyDrive is using this approach, such as:

Other certifications In addition to Basic authentication, as well as Digest Authentication Digest authentication, the use of Wsse (ws-security) authentication Client if you want to interact with "sites using Basic authentication." Very simple, the user name password is added to the authorization header.

Basic authentication of HTTP protocol