1

I have a HTTPD apache server which does LDAP authentication. When the user hits the URL http://localhost/, a browser prompt pops up asking for username and password.

  • How are the username and password carried from browser to the HTTPD server ? Are they really transferred to server through network? If so, are they encrypted?
  • Is browser prompt safer than entering the credentials directly in the sign-in page of a website ?

Need a simple explanation on how the authentication is working.

Vinayak
  • 73
  • 7

2 Answers2

2

The 'Basic' HTTP Authentication Scheme is described in RFC 7617.

The credentials are passed as an HTTP header and not encrypted so Basic Auth use over plain HTTP without encryption is insecure. If used over HTTPS there are other issues - see this question

AlexD
  • 8,747
  • 2
  • 29
  • 38
0

Two answer your second question:

Is browser prompt safer than entering the credentials directly in the sign-in page of a website ?

No.

The "browser prompt", Basic HTTP Authentication, has only one redeeming quality and the name says it all, it is the most basic, the most simple authentication scheme that you can use.

But that simplicity does not provide good security.

Many of those shortcomings are under the hood, AlexD already referred to most in this answer but something even your users may notice:

  • there is no "sign out" method
Bob
  • 5,805
  • 7
  • 25