Basic access authentication

Basic access authentication

In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.

Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ= when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly".

Wrongly, people believe that this base-64 encoding is done because of security, to prevent it from being read directly by a person. Encoding is done, instead, to avoid breaking the HTTP protocol data encoding because of bizarre (and more secure) passwords containing special HTTP characters, such as newlines.

The basic access authentication was originally defined by RFC 1945 ("Hypertext Transfer Protocol – HTTP/1.0") although further information regarding security issues may be found in RFC 2616 ("Hypertext Transfer Protocol – HTTP/1.1") and RFC 2617 ("HTTP Authentication: Basic and Digest Access Authentication").


One advantage of the basic access authentication is that it is supported by all popularrefun|ref_AuthSupportPopular web browsers. It is rarely used on publicly accessible Internet web sites but may sometimes be used by small, private systems. A later mechanism, digest access authentication, was developed in order to replace the basic access authentication and enable credentials to be passed in a relatively secure manner over an otherwise insecure channel.

"all popular web browsers" in this context includes any browsers currently holding 0.2% of the market share or more. See Comparison of Web Browsers for more information on HTTP support in web browsers.


Although the scheme is easily implemented, it relies on the assumption that the connection between the client and server computers is secure and can be trusted. Specifically, the credentials are passed as plaintext and could be intercepted easily. The scheme also provides no protection for the information passed back from the server.

According to RFC 2616, existing browsers retain authentication information indefinitely. HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way to "log out" without closing the browser. This is a significant defect that requires further extensions to HTTP.


Here is a typical transaction between an HTTP client and an HTTP server running on the local machine (localhost). It comprises the following steps.

* The client asks for a page that requires authentication but does not provide a user name and password. Typically this is because the user simply entered the address or followed a link to the page.
* The server responds with the 401 response code and provides the authentication realm.
* At this point, the client will present the authentication realm (typically a description of the computer or system being accessed) to the user and prompt for a user name and password. The user may decide to cancel at this point.
* Once a user name and password have been supplied, the client re-sends the same request but includes the authentication header.
* In this example, the server accepts the authentication and the page is returned. If the user name is invalid or the password incorrect, the server might return the 401 response code and the client would prompt the user again.

Note: A client may pre-emptively send the authentication header in its first request, with no user interaction required.


Client request (no authentication):

GET /private/index.html HTTP/1.0Host: localhost

(followed by a new line, in the form of a carriage return followed by a line feed).

Server response:

HTTP/1.0 401 UNAUTHORIZEDServer: HTTPd/1.0Date: Sat, 27 Nov 2004 10:18:15 GMTWWW-Authenticate: Basic realm="Secure Area"Content-Type: text/htmlContent-Length: 311


401 Unauthorised.

Client request (user name "Aladdin", password "open sesame"):

GET /private/index.html HTTP/1.0Host: localhostAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=

(followed by a blank line, as before).

Server response:

HTTP/1.0 200 OKServer: HTTPd/1.0Date: Sat, 27 Nov 2004 10:19:07 GMTContent-Type: text/htmlContent-Length: 10476

(followed by a blank line and HTML text comprising of the restricted page).

See also

* Digest access authentication
* [ Overview of how proxies and NTLM works, and a guide to configure NTLM-ASP for proxy bypassing]

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Digest access authentication — HTTP Persistence · Compression · HTTPS Request methods OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT Header fields Cookie · ETag · Location · Referer DNT · …   Wikipedia

  • Basic — may be: *BASIC, a computer programming language *Basic (cigarette), a brand of cigarettes manufactured by the Altria Group (Philip Morris Company) *Basic (dance move), the dance move that defines the character of a particular dance *Basic (film) …   Wikipedia

  • Access control — is the ability to permit or deny the use of a particular resource by a particular entity. Access control mechanisms can be used in managing physical resources (such as a movie theater, to which only ticketholders should be admitted), logical… …   Wikipedia

  • HTTP+HTML Form based authentication — HTTP+HTML Form based authentication, typically presently colloquially referred to as simply Form based authentication (which in actuality is ambiguous, see form based authentication for further explanation), is a technique whereby a website uses… …   Wikipedia

  • Common Access Card — An example DoD Common Access Card The Common Access Card (CAC) is a United States Department of Defense (DoD) smart card issued as standard identification for active duty military personnel, reserve personnel, civilian employees, other non DoD… …   Wikipedia

  • Form based authentication — is presently (i.e. early in the 21st century) employed as a term of art in the context of Web and Internet based online networked computer systems. In general, it refers to the notion of a user being presented with an editable form to fill in and …   Wikipedia

  • Two-factor authentication — (TFA, T FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi factor authentication, which is a defense in …   Wikipedia

  • Secure Password Authentication — is a protocol used to authenticate with a Simple Mail Transfer Protocol (SMTP) server. The protocol is attributed to Microsoft, but it is not an original protocol, but based on the NTLM authentication scheme.NTLM Authentication Scheme for… …   Wikipedia

  • Lightweight Directory Access Protocol — The Lightweight Directory Access Protocol (LDAP;  /ˈɛld …   Wikipedia

  • Microsoft Data Access Components — MDAC redirects here. For other uses, see MDAC (disambiguation). MDAC (Microsoft Data Access Components) Microsoft Corporation s MDAC provides a uniform framework for accessing a variety of data sources on their Windows platform. Developer(s)… …   Wikipedia