Logo HttpRevealer
IntroOverviewUsageDownloadPurchaseAuthorCredits

Get $45 off

Promo code:
HTTPREVEALER








Creative Use of HttpRevealer Traditional Chinese Translation|Simplified Chinese Translation|Japanese Translation|Korean Translation

How does Basic authentication work?

The Internet has been promoting the idea that all information should be made public and free. Yet, as a webmaster, you may at times want to protect some portion of your website so that only authorized people can access the protected information. There are various ways to protect your data. Among them, the simplest one is called "Basic authentication". In this article, we are going to discuss how the authentication works under the hood.

If you think about it, restricting access to private content of a website to a group of authorized users is, in nature, very similar to allowing only members of an organization to borrow books from its library. Why are they similar? I promise you will be with me after you read this article. Let's first take a look at the following scenario:

A student walks up to the check-out counter of his university's library. He says, "Hi, I want to borrow this book," as he hands the book to the librarian.

"Can I have your ID please?", she said.

The student gives her his student ID. She scans the ID and the book's bar code with the scanner and then says, "You are all set!".


Now, let's compare the above scenario with what happens when you try to access a protected intranet website:


Let's assume that your local web server (i.e. localhost) only allows restricted access. As soon as you entered the URL -- http://localhost/index.htm -- into your browser, you would see the prompt for password:



Here is what happened behind the scene:


The HTTP request above was asking the web server for the page "index.htm". The web server then replied with a "401 Access Denied" response, which rejected the browser's request to retrieve the page "index.htm". Note the WWW-Authenticate header. It was asking the web browser, "Can I have your ID please?"

When your browser received this 401 response, it prompted you for your ID and password.

As soon as you filled out the logon form,



, you would be granted access to the page you requested:



Once again, HttpRevealer unveiled what had actually taken place:


This time, the HTTP request was different. There was an extra header -- the Authorization header. It carried your credentials (i.e. your ID and password) in BASE64 encoded format. That's why the authentication is called Basic authentication. In essence, your browser was giving your ID to the web server. (Still remember our library analogy?)

The web server checked to see if the credentials were correct. In this case, they were. So, you were all set and the web server delivered the content of the protected page to you.

By now, you see that retrieving a protected web page is like checking out a book from library. Yes, we did skip some technical details to make it easier for you to get a high-level understanding of the mechanism. In particular, if you want to learn more about the BASE64 encoding algorithm, see this:
http://www.securitystats.com/tools/base64.php

That's all. I hope you enjoyed the discussion. I found out the above with HttpRevealer. You can explore the web yourself too! [See more info]

Steven Chau


Go back to the Index of Articles
 
© 2001-2007 HttpRevealer.com