HTTPD Authorization Mechanisms

Basic Authentication

See A Guide to Web Authentication Alternatives by Jan Wolter for more information.

This is a trace of a request for a page using the Basic Authentication mechanism. A Wikipedia article gives a more detailed explanation. Basically, it is a username and password authentication scheme based on HTTP/1.0 standards. A page rejected with code 401, Authorization Required, returns also the WWW-Authenticated header. The browser will request the page again, this time sending the username and password, base64 encoded, in the Authorization header of the next request.

Once a browser has determined that credentials are needed for a certain URL, future requests for that page will include those credentials with the initial request. The browser will also assume that the same credentials are required for all pages descending from that path and will include the credentials with the initial request for those resources as well.

http://www.cs.miami.edu/~burt/reference/crypto/
GET /~burt/reference/crypto/ HTTP/1.1 Host: www.cs.miami.edu User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.cs.miami.edu/~burt/reference/
HTTP/1.x 401 Authorization Required Date: Fri, 01 Jun 2007 19:19:16 GMT Server: Apache/1.3.29 (Unix) PHP/4.3.10 WWW-Authenticate: Basic realm="RC4,MD5,etc" Keep-Alive: timeout=15, max=93 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1
---------------------------------------------------------- http://www.cs.miami.edu/~burt/reference/crypto/
GET /~burt/reference/crypto/ HTTP/1.1 Host: www.cs.miami.edu User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.cs.miami.edu/~burt/reference/ Authorization: Basic eWVzaXRpczpiYXNlNjQ=
HTTP/1.x 200 OK Date: Fri, 01 Jun 2007 19:19:29 GMT Server: Apache/1.3.29 (Unix) PHP/4.3.10 Keep-Alive: timeout=15, max=92 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html

Digest access authentication

Digest access authentication is a challenge response authentication meant to improve and replace the basic scheme. It is a standard protocol proposed as an extension to the HTTP protocol specifications. See Digest access authentication.