HTTP Authentication

Ref:- https://www.httpwatch.com/httpgallery/authentication/

HTTP supports the use of several authentication mechanisms to control access to pages and other resources. These mechanisms are all based around the use of the 401 status code and the WWW-Authenticate response header.


The most widely used HTTP authentication mechanisms are:

Basic

Digest	The client sends the user name and password as unencrypted base64 encoded text. It should only be used with HTTPS, as the password can be easily captured and reused over HTTP.
NTLM	The client sends a hashed form of the password to the server. Although, the password cannot be captured over HTTP, it may be possible to replay requests using the hashed password.
	This uses a secure challenge/response mechanism that prevents password capture or replay attacks over HTTP. However, the authentication is per connection and will only work with HTTP/1.1 persistent connections. For this reason, it may not work through all HTTP proxies and can introduce large numbers of network roundtrips if connections are regularly closed by the web server. Basic access authentication Ref:- https://en.wikipedia.org/wiki/Basic_access_authentication In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. Security The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred over or used in conjunction with Basic Authentication. Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. Microsoft Internet Explorer by default caches them for 15 minutes. HTTP does not provide a method for a web server to instruct the client to "log out" the user. However, there are a number of methods to clear cached credentials in certain web browsers. One of them is redirecting the user to a URL on the same domain containing credentials that are intentionally incorrect. Unfortunately, this behavior is inconsistent between various browsers and browser versions. Microsoft Internet Explorer offers a dedicated JavaScript method to clear cached credentials: <script>document.execCommand('ClearAuthenticationCache', 'false');</script> Protocol Server side When the server wants the user agent to authenticate itself towards the server, it must respond appropriately to unauthenticated requests. Unauthenticated requests should return a response whose header contains a HTTP 401 Not Authorized status and a WWW-Authenticate field The WWW-Authenticate field for basic authentication (used most often) is constructed as following: WWW-Authenticate: Basic realm="nmrs_m7VKmomQ2YM3:" Client side When the user agent wants to send the server authentication credentials it may use the Authorization field The Authorization field is constructed as follows Username and password are combined into a string "username:password". The resulting string is then encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line. The authorization method and a space i.e. "Basic " is then put before the encoded string. For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the field is formed as follows: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==