HTTP (2) Basic Authentication

The http protocol is stateless and can be identified by cookies between browsers and web servers. How do I identify desktop applications (such as Sina Desktop client and skydrive client) and Web servers?

 

Reading directory

1. What is basic HTTP Authentication
2. Basic HTTP authentication process
3. Advantages of HTTP Basic Authentication
4. Authentication is required each time.
5. It is safe to use basic HTTP Authentication and HTTPS together.
6. HTTP OAuth Authentication
7. Other Certifications
8. Client usage

 

What is basic HTTP Authentication

Desktop applications also interact with Web servers over HTTP. desktop applications generally do not use cookies, instead, the "username + colon + password" BASE64 encoded string is placed in the header Authorization in the http request and sent to the server. This method is called Basic Authentication)

When a browser accesses a website that uses basic authentication, the browser prompts you to enter the user name and password, as shown in figure

 

If the user name and password are incorrect, the server returns 401, as shown in figure

 

Basic HTTP authentication process

Step 1: the client sends an http request to the server,

Step 2: because the request does not contain the Authorization header, the server returns a 401 Unauthozied to the client and adds information to the Response header "WWW-Authenticate.

 

Step 3: the client uses BASE64 to encode the user name and password and sends it to the server in the Authorization header. The authentication is successful.

Step 4: The server extracts the username and password from the Authorization header for verification. If the authentication succeeds, the server sends the resource to the client based on the request.

 

Use the Auth tab under Fiddler Inspectors to conveniently view the user name and password:

 

Advantages of HTTP Basic Authentication

Basic HTTP authentication, simple and clear. Rest APIs are frequently used for basic authentication.

 

Authentication is required each time.

The http protocol is stateless, and each request from the same client to the server requires authentication.

 

Basic HTTP Authentication and HTTPS

Although the string encoded with BASE64 "username + colon + password" is invisible, it is easy to decrypt it with the program. You can see that Fiddler is decrypted directly. Therefore, it is insecure to transmit such http requests over the network. HTTPS is usually used for transmission, and HTTPS is encrypted, so it is safer.

 

For HTTP, OAuth is put in the Authorization header rather than the username and password, but a token. Microsoft Skydrive uses this method, as shown in figure

In addition to Basic Authentication, other authentication also includes digest Authentication, and WSSE (WS-Security) authentication. If the client is used for digest Authentication, it must interact with the "website with Basic authentication. It is very easy to add the user name and password to the Authorization header. C #

string url = "https://testsite";HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);NetworkCredential nc = new NetworkCredential("username", "password");req.Credentials = nc;

 

Curl in Linux

curl -u username:password https://testsite/