Professional Documents
Culture Documents
(/)
HTTP Gallery
Jump to ...
Basic The client sends the user name and password as unencrypted base64 encoded text. It should only be used with HTTPS, as the
password can be easily captured and reused over HTTP.
Digest The client sends a hashed form of the password to the server. Although, the password cannot be captured over HTTP, it may be
possible to replay requests using the hashed password.
NTLM This uses a secure challenge/response mechanism that prevents password capture or replay attacks over HTTP. However, the
authentication is per connection and will only work with HTTP/1.1 persistent connections. For this reason, it may not work through all
HTTP proxies and can introduce large numbers of network roundtrips if connections are regularly closed by the web server.
In this section, we will just discuss the Basic authentication mechanism but more detailed information about HTTP authentication can be found
in RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt).
HTTP/1.1401AccessDenied
WWWAuthenticate:Basicrealm="MyServer"
ContentLength:0
The word Basic in the WWW-Authenticate selects the authentication mechanism that the HTTP client must use to access the resource. The
realm string can be set to any value to identify the secure area and may used by HTTP clients to manage passwords.
Most web browsers will display a login dialog when this response is received, allowing the user to enter a username and password. This
information is then used to retry the request with an Authorization request header:
GET/securefiles/HTTP/1.1
Host:www.httpwatch.com
Authorization:BasicaHR0cHdhdGNoOmY=
The Authorization species the authentication mechanism (in this case Basic) followed by the username and password. Although, the string
aHR0cHdhdGNoOmY= may look encrypted it is simply a base64 encoded version of <username>:<password>. In this example, the un-encoded
string "httpwatch:foo" was used and would be readily available to anyone who could intercept the HTTP request.
Example 10
https://www.httpwatch.com/httpgallery/authentication/ 1/3
7/4/2017 HTTPAuthentication|HttpWatch
Clicking the Display Image button will attempt to access an image le that uses HTTP Basic Authentication. You will need to enter
httpwatch as the username and a dierent password every time you access the image:
Authenticated Image:
1. Open HttpWatch by right clicking on the web page and selecting HttpWatch from the context menu
5. If you enter a username of httpwatch and some unique text as the password, the request will be successfully processed with a
200 response.
6. Select the Headers tab to view the use of the WWW-Authenticate and Authorize headers
(/DOWNLOAD/)
BUY NOW (/BUY/)
HttpWatch
Features (/features/httpdebugger.aspx)
Compare Editions (/editions.aspx)
New in Version 10.x (/newin10x.aspx)
Download (/download/)
Pricing (/buy/)
Our Customers
Who is using it? (/#customers)
What are they saying? (/#quotes)
Support
Technical Support (/support/)
About Us (/company/)
Contact Us (/company/)
https://www.httpwatch.com/httpgallery/authentication/ 2/3
7/4/2017 HTTPAuthentication|HttpWatch
Contact Us (/company/)
Blog (http://blog.httpwatch.com)
Twitter (https://twitter.com/httpwatch)
Search (/search/) Terms & Conditions (/company/terms.aspx) Privacy Policy (/company/privacy_policy.aspx) Copyright (/company/copyright.aspx)
https://www.httpwatch.com/httpgallery/authentication/ 3/3