390

I'm setting up basic authentication on a php site and found this page on the php manual showing the set up. What does "realm" mean here in the header? 

header('WWW-Authenticate: Basic realm="My Realm"');

Is it the page page being requested?

Havvy
  • 1,471
  • 14
  • 27
RayLoveless
  • 19,880
  • 21
  • 76
  • 94
  • I was bored by the fact that wikipedia page didn't mention about `realm` meaning and I was required to ask for that on SO. But then, luckily, your question appeared. – Niki Romagnoli Oct 24 '22 at 11:15

3 Answers3

343

From RFC 1945 (HTTP/1.0) and RFC 2617 (HTTP Authentication referenced by HTTP/1.1)

The realm attribute (case-insensitive) is required for all authentication schemes which issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme.

In short, pages in the same realm should share credentials. If your credentials work for a page with the realm "My Realm", it should be assumed that the same username and password combination should work for another page with the same realm.

Dennis Meissel
  • 1,825
  • 1
  • 21
  • 33
  • 12
    Some servers don't provide a realm in their authentication challenges. – orkoden Jun 28 '13 at 17:20
  • 5
    When I work with IIS, I configure differnt realms for different virtual folders (under the same site). But I am not sure if this is correct. But it seems work for me. When I visit a virtual folder for a different realm, I did get prompt for credential. – smwikipedia Sep 07 '14 at 16:05
  • 1
    Note: RFC 2617 has been updated (NOT obsoleted) by [RFC 7235](http://tools.ietf.org/html/rfc7235) – Hawkeye Parker Nov 11 '14 at 07:41
135

A realm can be seen as an area (not a particular page, it could be a group of pages) for which the credentials are used; this is also the string that will be shown when the browser pops up the login window, e.g.

Please enter your username and password for <realm name>:

When the realm changes, the browser may show another popup window if it doesn't have credentials for that particular realm.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • 1
    How to group pages under realm? – Green Dec 17 '15 at 10:16
  • 1
    @Green The `.htaccess` goes by hierarchy, so anything that's under a certain directory can be given the same realm. – Ja͢ck Dec 18 '15 at 08:15
  • 1
    @Jack, I naively thought that all the pages with an authentication header with a given realm are in that realm and there are no other rules. Am I wrong? –  May 22 '16 at 20:04
  • 1
    Both Chrome and Firefox doesn't show the realm to a user anymore. I guess it's probably to avoid phishing attack when a hacker from evil.com makes a realm "Type your example.com password" and a user may not check a real domain and type it's password. That's sad because it made the basic auth even less user friendly – Sergey Ponomarev Feb 28 '23 at 00:07
27

According to the RFC 7235, the realm parameter is reserved for defining protection spaces (set of pages or resources where credentials are required) and it's used by the authentication schemes to indicate a scope of protection.

For more details, see the quote below (the highlights are not present in the RFC):

2.2. Protection Space (Realm)

The "realm" authentication parameter is reserved for use by authentication schemes that wish to indicate a scope of protection.

A protection space is defined by the canonical root URI (the scheme and authority components of the effective request URI) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, that can have additional semantics specific to the authentication scheme. Note that a response can have multiple challenges with the same auth-scheme but with different realms. [...]

Note 1: The framework for HTTP authentication is currently defined by the RFC 7235, which updates the RFC 2617 and makes the RFC 2616 obsolete.

Note 2: The realm parameter is no longer always required on challenges.

Dennis Meissel
  • 1,825
  • 1
  • 21
  • 33
cassiomolin
  • 124,154
  • 35
  • 280
  • 359