Basic HTTP Authentication
Basic HTTP Authentication, or simply Basic Auth, is a rudimentary yet common method for securing resources on the web. Though easy to implement, its inherent security vulnerabilities make it a frequent target for brute-force attacks.
Overview
Basic Auth is a challenge-response protocol where a web server demands user credentials before granting access to protected resources. The process begins when a user attempts to access a restricted area. The server responds with a 401 Unauthorized status and a WWW-Authenticate header prompting the user’s browser to present a login dialog.
Authentication Flow
- Client Request: User attempts to access a protected resource
- Server Challenge: Server responds with
401 UnauthorizedandWWW-Authenticateheader - Browser Dialog: Browser presents login dialog to user
- Credential Submission: User provides username and password
- Encoding: Browser concatenates credentials (
username:password) and Base64 encodes them - Authorization Header: Encoded credentials are sent in
Authorization: Basic <encoded_credentials>header - Server Verification: Server decodes credentials, verifies against database, and grants or denies access
Credential Encoding
Credentials are encoded using Base64:
- Format:
username:password(colon-separated) - Encoded using Base64
- Sent in
Authorizationheader as:Basic <encoded_credentials>
Example Request
GET /protected_resource HTTP/1.1
Host: www.example.com
Authorization: Basic YWxpY2U6c2VjcmV0MTIz
In this example, YWxpY2U6c2VjcmV0MTIz is the Base64 encoding of alice:secret123.
Security Considerations
- Vulnerable to Brute-Force: Credentials are easily decoded (Base64 is not encryption)
- No Encryption: Base64 encoding provides no security; credentials are transmitted in plaintext
- No Session Management: Each request must include credentials
- Frequent Target: Common attack vector due to simplicity and widespread use