Scribd Logo
Upload

Welcome to Scribd!

  • HTTP Authentication - HttpWatch

    Uploaded by

    Hector David Zenit
    10 views3 pages
    HttpWatch

    Original Title

    HTTP Authentication _ HttpWatch

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    HttpWatch

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views3 pages

    HTTP Authentication - HttpWatch

    Uploaded by

    Hector David Zenit
    HttpWatch

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    7/4/2017 HTTPAuthentication|HttpWatch

    (/)

    HTTP Gallery

    Jump to ...

    10. HTTP Authentication


    HTTP supports the use of several authentication mechanisms to control access to pages and other resources. These mechanisms are all based
    around the use of the 401 status code and the WWW-Authenticate response header.

    The most widely used HTTP authentication mechanisms are:

    Basic The client sends the user name and password as unencrypted base64 encoded text. It should only be used with HTTPS, as the
    password can be easily captured and reused over HTTP.

    Digest The client sends a hashed form of the password to the server. Although, the password cannot be captured over HTTP, it may be
    possible to replay requests using the hashed password.

    NTLM This uses a secure challenge/response mechanism that prevents password capture or replay attacks over HTTP. However, the
    authentication is per connection and will only work with HTTP/1.1 persistent connections. For this reason, it may not work through all
    HTTP proxies and can introduce large numbers of network roundtrips if connections are regularly closed by the web server.

    In this section, we will just discuss the Basic authentication mechanism but more detailed information about HTTP authentication can be found
    in RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt).

    10.1 Basic Authentication


    If an HTTP receives an anonymous request for a protected resource it can force the use of Basic authentication by rejecting the request with a
    401 (Access Denied) status code and setting the WWW-Authenticate response header as shown below:

    HTTP/1.1401AccessDenied
    WWWAuthenticate:Basicrealm="MyServer"
    ContentLength:0

    The word Basic in the WWW-Authenticate selects the authentication mechanism that the HTTP client must use to access the resource. The
    realm string can be set to any value to identify the secure area and may used by HTTP clients to manage passwords.

    Most web browsers will display a login dialog when this response is received, allowing the user to enter a username and password. This
    information is then used to retry the request with an Authorization request header:

    GET/securefiles/HTTP/1.1
    Host:www.httpwatch.com
    Authorization:BasicaHR0cHdhdGNoOmY=

    The Authorization species the authentication mechanism (in this case Basic) followed by the username and password. Although, the string
    aHR0cHdhdGNoOmY= may look encrypted it is simply a base64 encoded version of <username>:<password>. In this example, the un-encoded
    string "httpwatch:foo" was used and would be readily available to anyone who could intercept the HTTP request.

    Example 10

    https://www.httpwatch.com/httpgallery/authentication/ 1/3
    7/4/2017 HTTPAuthentication|HttpWatch
    Clicking the Display Image button will attempt to access an image le that uses HTTP Basic Authentication. You will need to enter
    httpwatch as the username and a dierent password every time you access the image:

    Authenticated Image:

    DISPLAY IMAGE REFRESH THIS PAGE

    Using HttpWatch with Example 10

    To view the use of HTTP authentication on this page:

    1. Open HttpWatch by right clicking on the web page and selecting HttpWatch from the context menu

    2. Click on Record to start logging requests in HttpWatch

    3. Click on the Display Image button above

    4. A 401 response is received and the login dialog is displayed.

    5. If you enter a username of httpwatch and some unique text as the password, the request will be successfully processed with a
    200 response.

    6. Select the Headers tab to view the use of the WWW-Authenticate and Authorize headers

    <9. CHUNKED ENCODING (../CHUNKED/) 11. HTTPS> (../HTTPS/)

    Ready to get started?

    TRY FOR FREE

    (/DOWNLOAD/)
    BUY NOW (/BUY/)

    HttpWatch
    Features (/features/httpdebugger.aspx)
    Compare Editions (/editions.aspx)
    New in Version 10.x (/newin10x.aspx)
    Download (/download/)
    Pricing (/buy/)

    Our Customers
    Who is using it? (/#customers)
    What are they saying? (/#quotes)

    Learning & Documentation


    HttpWatch Blog (http://blog.httpwatch.com)
    HTTP Gallery (/httpgallery/)
    HttpWatch Help (http://help.httpwatch.com)
    HttpWatch Automation Reference (http://apihelp.httpwatch.com)

    Support
    Technical Support (/support/)
    About Us (/company/)

    Contact Us (/company/)
    https://www.httpwatch.com/httpgallery/authentication/ 2/3
    7/4/2017 HTTPAuthentication|HttpWatch
    Contact Us (/company/)
    Blog (http://blog.httpwatch.com)
    Twitter (https://twitter.com/httpwatch)

    Search (/search/) Terms & Conditions (/company/terms.aspx) Privacy Policy (/company/privacy_policy.aspx) Copyright (/company/copyright.aspx)

    Copyright 2017 Neumetrix Limited (/)

    https://www.httpwatch.com/httpgallery/authentication/ 3/3

    You might also like