aspose file tools*
The moose likes Security and the fly likes Http Basic Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Http Basic Authentication" Watch "Http Basic Authentication" New topic
Author

Http Basic Authentication

Luke Murphy
Ranch Hand

Joined: May 12, 2010
Posts: 300
When using basic authentication, the Http Client will set the Authorization token to an encoded version of the username and password and sent the request to the Server.
This usually happens after the submission of the Basic Authentication form. I am looking at Http Request in Fiddler that happen after the Basic Authentication has been completed and I can still see this Authorization token set. I am just wondering how this is considering HTTP is stateless?

Many thanks.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
It is resending the auth data precisely because HTTP is stateless - there is no session at work, so the auth info needs to be resent with each request.
Luke Murphy
Ranch Hand

Joined: May 12, 2010
Posts: 300
Tim Moores wrote:It is resending the auth data precisely because HTTP is stateless - there is no session at work, so the auth info needs to be resent with each request.


Brilliant answer. So the browser resends. Where does the browser store it then - in a cookie?

Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
No, in memory. That's why you need to reenter the auth info if you restart the browser.
Luke Murphy
Ranch Hand

Joined: May 12, 2010
Posts: 300
Tim Moores wrote:No, in memory. That's why you need to reenter the auth info if you restart the browser.


Great stuff Tim. Well explained. Succint and clinical. I actually couldn't find much on this in google. I suppose the browser is not obliged to this. It just does this to be nice. Correct?
Can it be turned off?
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18902
    
    8

Yes, the browser does that for the convenience of its users. In other words, so they don't have to key in the authentication every single time they go to a page on a site which uses basic authentication.

So "Can it be turned off" is a question about each browser individually. You could poke around in their configurations, probably under some tab labelled "Security". But I can't imagine why you would want to turn it off, considering that would just make you key in your authentication repeatedly.
Luke Murphy
Ranch Hand

Joined: May 12, 2010
Posts: 300
Paul Clapham wrote:
So "Can it be turned off" is a question about each browser individually. You could poke around in their configurations, probably under some tab labelled "Security". But I can't imagine why you would want to turn it off, considering that would just make you key in your authentication repeatedly.

Just curious really.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Http Basic Authentication