• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Http Basic Authentication

 
Luke Murphy
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When using basic authentication, the Http Client will set the Authorization token to an encoded version of the username and password and sent the request to the Server.
This usually happens after the submission of the Basic Authentication form. I am looking at Http Request in Fiddler that happen after the Basic Authentication has been completed and I can still see this Authorization token set. I am just wondering how this is considering HTTP is stateless?

Many thanks.
 
Tim Moores
Bartender
Posts: 2747
38
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It is resending the auth data precisely because HTTP is stateless - there is no session at work, so the auth info needs to be resent with each request.
 
Luke Murphy
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:It is resending the auth data precisely because HTTP is stateless - there is no session at work, so the auth info needs to be resent with each request.


Brilliant answer. So the browser resends. Where does the browser store it then - in a cookie?

 
Tim Moores
Bartender
Posts: 2747
38
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, in memory. That's why you need to reenter the auth info if you restart the browser.
 
Luke Murphy
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:No, in memory. That's why you need to reenter the auth info if you restart the browser.


Great stuff Tim. Well explained. Succint and clinical. I actually couldn't find much on this in google. I suppose the browser is not obliged to this. It just does this to be nice. Correct?
Can it be turned off?
 
Paul Clapham
Sheriff
Pie
Posts: 20980
31
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, the browser does that for the convenience of its users. In other words, so they don't have to key in the authentication every single time they go to a page on a site which uses basic authentication.

So "Can it be turned off" is a question about each browser individually. You could poke around in their configurations, probably under some tab labelled "Security". But I can't imagine why you would want to turn it off, considering that would just make you key in your authentication repeatedly.
 
Luke Murphy
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:
So "Can it be turned off" is a question about each browser individually. You could poke around in their configurations, probably under some tab labelled "Security". But I can't imagine why you would want to turn it off, considering that would just make you key in your authentication repeatedly.

Just curious really.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic