HTTP authentication
HTTP authentication is a method with which the user of a web browser can authenticate himself as a user to the web server or a web application in order to then be authorized for further access .
It is part of the Hypertext Transfer Protocol (HTTP), which forms the basis of the World Wide Web .
function
If the web server determines that a user name or password is required for a requested URL , it reports this to the browser with the status code 401 Unauthorized and the WWW-Authenticate header . The browser now determines the data required for logging in (by asking the user or using values entered earlier) and sends the result to the server, which then sends the desired page if the access data is correct, otherwise a corresponding error message.
On the server side, the authentication must be configured accordingly, in the case of the Apache HTTP server, for example, by notation of the relevant directives provided by authentication modules in a .htaccess file or a central server configuration file.
After the protocol has expired, the user is authenticated to the web server, but the reverse does not apply: The user cannot be sure that the web server is really who he claims to be. A spoofing attack can simulate a legitimate web server, for example to gain access to additional user data. Usually, a security protocol such as Hypertext Transfer Protocol Secure (HTTPS) is used to authenticate the web server to the user , which can confirm the identity of the web server with the aid of digital certificates .
use
Larger websites use this standardized method only rarely, since the input fields for username and password do not make and can not so easily be integrated into your website as a HTML - form . The HTTP auth query is partly supplemented by its own JavaScript functions.
HTTP authentication can often be found on simple homepages as no programming is necessary. Many web space providers offer a simple option for configuration via web interface.
Procedure
There are several ways to authenticate users (clients). The following are common:
Basic authentication
The Basic Authentication ( Basic authentication ) to RFC 2617 is a kind of commonly used HTTP authentication. The web server also requests
WWW-Authenticate: Basic realm="RealmName"
an authentication, where RealmName represents a description of the protected area - in the picture opposite, for example, “Log files / Server information”. The browser then searches for the username / password for this URL and asks the user if necessary. It then sends the authentication to the server with the authorization header in Benutzername:Passwort Base64- encoded form .
Example:
Authorization: Basic d2lraTpwZWRpYQ==
"D2lraTpwZWRpYQ ==" is the Base64 coding of wiki: pedia and stands for username wiki , password pedia .
A disadvantage of this procedure is that the username and password are only encoded for technical reasons, but not encrypted. From a security point of view, this procedure is therefore just as insecure as if the password were transmitted in plain text . With encryption with SSL / TLS with HTTPS , an encrypted connection is established before the password is transmitted, so that the password cannot be intercepted even with basic authentication.
Digest Access Authentication
With Digest Access Authentication (also RFC 2617 ) the server sends a specially generated random string ( nonce ) together with the WWW-Authenticate header . The browser calculates the hash code (usually MD5 ) from a combination of user name, password, received character string, HTTP method and requested URL. It sends this back to the server in the authorization header together with the user name and the random string. This in turn calculates the checksum and compares it. The procedure is therefore similar to that of the Message Authentication Code .
Provided the hash function used is cryptographically secure, eavesdropping on the communication is of no use to an attacker, since the access data cannot be reconstructed using a hash function and these are different for each request using the nonce. (In particular, the widely used MD5 hash function is no longer considered secure .) The rest of the data transmission, however, is not protected. Hypertext Transfer Protocol Secure (HTTPS) can be used to achieve this .
NTLM HTTP Authentication
In intranets with Windows servers, the proprietary NTLM authentication scheme is often used, which has been considered insecure for years. It is therefore advisable to use Kerberos to protect intranets .
See also
Web links
- RFC 2617 (HTTP Authentication)
- RFC 2616 (Hypertext Transfer Protocol - HTTP / 1.1)
- Collection of useful .htaccess examples
- Setting up an encrypted HTTP authentication with htdigest