I confused with basic http authorization. It is needed to send every request to server with Authorization header or just first one and after that browser rember auth tokens like session id?
Asked
Active
Viewed 3,054 times
3
Cherry
- 31,309
- 66
- 224
- 364
-
Depends if the server has session persistence or not. This is not part of the basic authentication spec. – Boris the Spider Sep 27 '15 at 18:28
-
Yes. And if not supplied, the browser does it for you. Nevertheless, it is always passed for every request. – daparic Sep 13 '20 at 17:20
3 Answers
2
You have to send the Authorization header on each request. But for example Chrome remembers the auth tokens and sends it automatically on each request.
Sebastian Gnitkowitz
- 66
- 4
1
Using basic authentication, every request needs to have an Authorization HTTP header in the format:
Authorization: Basic <base64(username:password)>
where the username and password are concatenated using a colon (':') and the resulting string is base64 encoded.
If the Authorization header is not part of the request, or the credentials inside are not valid, the server should respond with an HTTP 401 Unauthorized response and include a HTTP header like:
WWW-Authenticate: Basic realm="myRealm"
Basic authentication is an implicit authentication scheme, so after the user enters valid credential, the browser will send them along with each page request.
For AJAX requests you'll need to attach this header from code. However, you really should not use basic authentication to protect an API, for a number of reasons:
- You'd force the client to hold those credentials in code, where they can easily be stolen.
- You must use HTTPS with basic authentication as base64 encoding gives no protection of the credentials at all.
- Username/password combinations are usually valid much longer than an access token, thereby increasing the risk if they get stolen.
- Password validation should be a slow process to mitigate brute force attacks, where token validation is just verifying a digital signature.
- Having to send the username/password over the wire every time increases the attack surface for someone trying to break the encryption.
Better alternatives to protect web APIs are token based authentication schemes like OAuth2 or HMAC based authentication schemes like Hawk or AWS
0
Ya that's correct , so for first time when user logs in , his credentials are verified against some data , if correct , a auth token is generated.
Auth token is pretty much a self contained entity (which stores some data signed with a key)
this token gets stores at client side(usually along with a refresh token) for all subsequent requests , this token is kept in Authorization header(Bearer+token)
When server receives this token , it decrypts it with the key , which it used earlier to sign that token. And uses that stored data
If that auth token is expired , refresh token comes into play.
some links to begin with On a high level, how does OAuth 2 work? and jwt.io to get the feel of tokens
Community
- 1
- 1
Aishwat Singh
- 4,331
- 2
- 26
- 48
-
2The question is about basic authentication. Your answer is about token based authentication. These are two entirely different things. – MvdD Sep 27 '15 at 19:47
-