When using basic authentication, the Http Client will set the Authorization token to an encoded version of the username and password and sent the request to the Server.
This usually happens after the submission of the Basic Authentication form. I am looking at Http Request in Fiddler that happen after the Basic Authentication has been completed and I can still see this Authorization token set. I am just wondering how this is considering HTTP is stateless?
Many thanks.
Tim Moores
Rancher
Joined: Sep 21, 2011
Posts: 2329
posted
1
It is resending the auth data precisely because HTTP is stateless - there is no session at work, so the auth info needs to be resent with each request.
Luke Murphy
Ranch Hand
Joined: May 12, 2010
Posts: 295
posted
0
Tim Moores wrote:It is resending the auth data precisely because HTTP is stateless - there is no session at work, so the auth info needs to be resent with each request.
Brilliant answer. So the browser resends. Where does the browser store it then - in a cookie?
Tim Moores
Rancher
Joined: Sep 21, 2011
Posts: 2329
posted
1
No, in memory. That's why you need to reenter the auth info if you restart the browser.
Luke Murphy
Ranch Hand
Joined: May 12, 2010
Posts: 295
posted
0
Tim Moores wrote:No, in memory. That's why you need to reenter the auth info if you restart the browser.
Great stuff Tim. Well explained. Succint and clinical. I actually couldn't find much on this in google. I suppose the browser is not obliged to this. It just does this to be nice. Correct?
Can it be turned off?
Yes, the browser does that for the convenience of its users. In other words, so they don't have to key in the authentication every single time they go to a page on a site which uses basic authentication.
So "Can it be turned off" is a question about each browser individually. You could poke around in their configurations, probably under some tab labelled "Security". But I can't imagine why you would want to turn it off, considering that would just make you key in your authentication repeatedly.
Luke Murphy
Ranch Hand
Joined: May 12, 2010
Posts: 295
posted
0
Paul Clapham wrote:
So "Can it be turned off" is a question about each browser individually. You could poke around in their configurations, probably under some tab labelled "Security". But I can't imagine why you would want to turn it off, considering that would just make you key in your authentication repeatedly.
0
