Basic access authentication
HTTP authentication is a method by which the user of a web browser over the Web server or a Web application can authenticate as a user, to be then authorized for further access.
It is part of the Hypertext Transfer Protocol (HTTP), which forms the basis of the World Wide Web.
Function
Determines the web server that are needed for a requested URL username or password, it reports that the browser with the status code 401 Unauthorized WWW-Authenticate header and the. The browser now determines the necessary data for the application ( by asking the user or have previously entered values are used ) and sends the result to the server, which in correct access the desired page, otherwise an appropriate error message, transmitted.
Server-side authentication must be configured accordingly, the Apache HTTP Server instance by appropriate notation -provided by authentication modules directives in a. Htaccess file. However, the preferred way is the notation of the directives in the central server configuration file.
The user is authenticated after the expiry of the Protocol against the web server, but the converse is not true: The user can not be sure that the web server really is who he claims to be. A spoofing attack can mimic a legitimate web server, for example, to reach more users data. Usually, a security protocol such as HTTPS is used to authenticate the Web server to the user, which can confirm the identity of the Web server using digital certificates.
Use
Larger websites use this standardized method only rarely, as not organize the input fields for username and password and not so easy to be integrated into your website as an HTML form. Part of the HTTP - Auth query is also supplemented by our own JavaScript functions.
In simple homepages is HTTP authentication to find more often because no programming is required. Many web space providers offer here a simple way to configure via web interface.
Method
There are several ways to authenticate users (clients). Common are:
Basic Authentication
The Basic Authentication according to RFC 2617 is the most common type of HTTP authentication. The Web server calls with
WWW - Authenticate: Basic realm = "Realm Name " Enter a username and password an authentication, which realm name is a description of the protected area. The browser will then search for username / password for this URL and asks where appropriate, the user. He then sends the authentication with the Authorization header in the form username: password base64 encoded to the server. example:
Digest Access Authentication
The Digest Access Authentication ( also RFC 2617 ) sends the server together with the WWW -Authenticate header a specially generated random string ( nonce ). The browser calculates the hash code (usually MD5) a combination of username, password, got string HTTP method and requested URI. This sends the Authorization header along with the user name and the random string back to the server. This in turn calculates the checksum and compares. The procedure is similar to that of the message authentication code.
Assuming the used hash function is cryptographically secure, good is an interception of communication an attacker anything because can not be reconstructed by the use of a hash function the access and be different from the use of nonce for each request. ( Specifically, the widespread hash function MD5 is no longer considered safe. ) The remaining data transfer, however, is not protected. To achieve this, such as HTTPS can be used.
NTLM HTTP Authentication
In Intranets with Windows servers, the proprietary NTLM authentication scheme is often used.