Tuesday, May 8, 2018

Basic, Form, Digest authentication

https://en.wikipedia.org/wiki/Basic_access_authentication to be used with HTTPS otherwise you pass the password in clear text (no digest). Popup-based (unlike with form-based).

"To unauthenticated requests, the server should return a response whose header contains a HTTP 401 Unauthorized status and a WWW-Authenticate field."


https://en.wikipedia.org/wiki/HTTP%2BHTML_form-based_authentication same as "form-based authentication"

https://en.wikipedia.org/wiki/Digest_access_authentication use a hash function + nonce (HA1 = MD5(username:realm:password)) to encrypt username:password, making it more secure that basic authentication

Something completely NUTS: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields "Authorization Authentication credentials for HTTP authentication. Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== " they want to AUTHENTICATE but they use a "Authorization" header.... how confusing...

No comments: