Basic access authentication

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request.

Protocol

Server side

When the server wants the user agent to authenticate itself towards the server, the server must respond appropriately to unauthenticated requests.

To unauthenticated requests, the server should return a response whose header contains a HTTP 401 Unauthorized status and a WWW-Authenticate field.

The WWW-Authenticate field for basic authentication (used most often) is constructed as following:

WWW-Authenticate: Basic realm="User Visible Realm"

Client side

When the user agent wants to send authentication credentials to the server, it may use the Authorization field.

The Authorization field is constructed as follows:

The username and password are combined with a single colon. (:) The resulting string is encoded into an octet sequence. The resulting string is encoded using a variant of Base64. The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string, separated with a space. For example, if the browser uses Aladdin as the username and OpenSesame as the password, then the field's value is the base64-encoding of Aladdin:OpenSesame, or QWxhZGRpbjpPcGVuU2VzYW1l. Then the Authorization header will appear as:

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

HTTPS위에서 작동하는 Basic 인증은 안전할까?

• Is BASIC-Auth secure if done over HTTPS?
• Stackoverflow - HTTPS and BASIC authentication

인증과 보안은 별개의 문제이다. 보안은 HTTPS가 담당 하고, 인증은 Basic이 담당한다. 따라서 HTTPS가 안전하면 안전하다. 다만 HTTPS가 뚫릴 경우를 가정하면 안전하진 않다.

See also

• HTTP
• HTTP:Authentication
• htaccess/htpasswd
• HTTPBasicAuth (python)
• HTTPDigestAuth (python)

Favorite site

• Wikipedia (en) Basic_access_authentication
• HTTP 인증(1) - Basic
• HTTP 인증 기본 및 요약 이해(Basic, Digest 방식)