In the context of an
Authorization: Basic <credentials>, where credentials is the Base64
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing
The BA mechanism does not provide
Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers.
In modern browsers, cached credentials for basic authentication are typically cleared when clearing browsing history. Most browsers allow users to specifically clear only credentials, though the option may be hard to find, and typically clears credentials for all visited sites.
Brute forcing credentials is not actively prevented or detected (unless a server-side mechanism is used).
When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with a HTTP 401 Unauthorized status line and a WWW-Authenticate header field.
The WWW-Authenticate header field for basic authentication is constructed as following:
WWW-Authenticate: Basic realm="User Visible Realm"
The server may choose to include the charset parameter from
WWW-Authenticate: Basic realm="User Visible Realm", charset="UTF-8"
This parameter indicates that the server expects the client to use UTF-8 for encoding username and password (see below).
When the user agent wants to send authentication credentials to the server, it may use the Authorization header field.
The Authorization header field is constructed as follows:
- The username and password are combined with a single colon (ii). This means that the username itself cannot contain a colon.
- The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the charset parameter.
- The resulting string is encoded using a variant of Base64 (+/ and with padding).
- The authorization method and a space character (e.g. "Basic ") is then prepended to the encoded string.
For example, if the browser uses Aladdin as the username and open sesame as the password, then the field's value is the Base64 encoding of Aladdin:open sesame, or QWxhZGRpbjpvcGVuIHNlc2FtZQ==. Then the Authorization header field will appear as:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
- Digest access authentication
- HTTP header
- TLS-SRP, an alternative if one wants to avoid transmitting a password-equivalent to the server (even encrypted, like with TLS).
References and notes
- Luotonen, Ari (10 September 2022). "Announcing Access Authorization Documentation". [email protected] (Mailing list). Retrieved 7 February 2022.
- "Hypertext Transfer Protocol -- HTTP/1.0". www.w3.org. W3C. 19 February 1996. Retrieved 7 February 2022.
- "Is there a browser equivalent to IE's ClearAuthenticationCache?". StackOverflow. Retrieved March 15, 2013.
IDM_CLEARAUTHENTICATIONCACHEcommand identifier". Microsoft. Retrieved March 15, 2013.
- "540516 - Usability: Allow users to clear HTTP Basic authentication details ('Logout')". bugzilla.mozilla.org. Retrieved 2020-08-06.
Clear Recent History->Active Logins (in the details) is used to clear the authentication.
- "Clear browsing data - Computer - Google Chrome Help". support.google.com. Retrieved 2020-08-06.
Data that can be deleted[...]Passwords: Records of passwords you saved are deleted.
- "RFC 1945 Section 11. Access Authentication". IETF. May 1996. p. 46. Retrieved 3 February 2017.
- Fielding, Roy T.; Berners-Lee, Tim; Henrik, Frystyk. "Hypertext Transfer Protocol -- HTTP/1.0". tools.ietf.org.
- Reschke, Julian. "The 'Basic' HTTP Authentication Scheme". tools.ietf.org.
- "RFC 7235 - Hypertext Transfer Protocol (HTTP/1.1): Authentication". Internet Engineering Task Force (IETF). June 2014...