HTTP protocol (ii)--basic Authentication

HTTP protocol (ii) Basic authentication

The HTTP protocol is stateless and can be identified by a cookie between the browser and the Web Server. How are desktop applications (such as the Sina desktop client, SkyDrive client) and the Web server identified?

What is HTTP Basic Authentication

desktop applications also pass The HTTP protocol interacts with the Web server, and the desktop application generally does not use cookies, but instead sends the "username + colon + password" to the service side in the header authorization of the HTTP request with the BASE64 encoded STRING. This method is called HTTP Basic authentication (basic Authentication)

when a browser accesses a website that uses basic authentication, the browser prompts you to enter your user name and password, such as

If the user name password is wrong, the Server will return 401 as

The process of HTTP Basic authentication

the First step : The client sends an HTTP request to the server,

Step two : Because the request does not contain the authorization header, the server returns a 401 unauthozied to the client, and the header "www-authenticate" in response Add information in The.

the third step: the client uses the user name and password BASE64 encoded, placed in the authorization header sent to the server, the authentication is Successful.

fourth step: the server will The username and password in the Authorization header is taken out, verified, and if authenticated, the resource is sent to the client according to the Request.

Use Fiddler inspectors under the auth tab, you can easily see the user name and password:

The advantages of HTTP Basic authentication

HTTP basic authentication, Simple and clear. Rest API is a common use of basic authentication

Every time you have to be certified

The HTTP protocol is stateless and requires authentication for each request from the same client to the server

HTTP Basic Authentication and HTTPS

the "user name + colon + password" with BASE64 encoded string although with the naked eye can not be seen, but the program is easy to decrypt, you see Fiddler directly to Decrypt. So HTTP request on the network, if the use of HTTP transmission is very insecure. Generally will be used HTTPS transmission, HTTPS is encrypted, so it is more secure.

HTTP OAuth Authentication

For http, OAuth is not a user name password, but a token in the authorization header.

Microsoft's Skydrive is used in such a way that

Other Certifications

In addition to basic certification (Basic authentication), as well as Digest Authentication Digest authentication, wsse (ws-security) Certification

Use of the client

the client interacts with a site that uses basic Authentication. Very simple, the user name password is added to the authorization header.

C#

String url = "https://testsite";

HttpWebRequest req = (httpwebrequest) webrequest.create (url);

NetworkCredential NC = new NetworkCredential ("username", "password");

HTTP protocol (ii)--basic Authentication