Note that the realm value "Registered User" is the AuthName value from the Apache configuration. If the request has no such header, or the credentials specified in the header do not match one of the pairs of usernames and passwords in /lib/ers, then the server responds with a 401 Unauthorized status and a header: WWW-Authenticate Basic realm="Registered User" With this configuration, any request for resources below /htdocs/protected is automatically checked by Apache for an Authentication header. Where the file /lib/ers is a file of encrypted usernames and passwords generated by the Apache utility program htpasswd. using Apache directives along theses lines: The application would have to be written to check each request for an Authorization header, and if present, process the credentials the same way they would if they had been specified by a POST of a filled-out login form.Īpplications that expect HTTP basic authentication generally are built with that requirement built into the server configuration, e.g. Many or most applications that require login expect to get the credentials from a form the user fills out and sends with a POST request. Of course there's also the issue of how much good passing credentials this way does you. But with the availability of free ssl certificates, and the push for "ssl everywhere", that no longer seems like much of a problem these days. I think the whole issue about removing support or deprecating the feature was based on the security implications of specifying the credentials using http protocol.
But since the https connection is encrypted, the header is encrypted and the credentials are not exposed outside the browser. Where the credentials are simply the (url-decoded) string "username:password" as written in the url, but base64-encoded. The browser extracts the credentials, and passes them to the server in an Authorization header: Authorization: Basic credentials Instead, just use: that you must urlencode special characters in the user or password fields (I frequently use in my passwords, so those must be written as '%40'). But unless your browser has in fact dropped the feature, then as noted in answer above, you can specify a url with basic authentication as you really should not use http protocol, since that will send the credentials in clear text. There seems to be some controversy about whether or not browsers have dropped the feature, and/or whether the feature is deprecated.
0 kommentar(er)
