Persist basic authentication across protocols

Question

I maintain a website that uses basic authentication to prevent outside users from viewing it (It's a staging/test environment open to the internet). The website is available over unsecured (HTTP) connections with some pages (like the log in/registration forms) requiring secure (HTTPS) connections. The site has a separate cookie based log in, but this is custom and does not use any framework provided APIs (I.E. Forms Authentication)

In this environment, when a user has successfully logged in to the site homepage via an unsecured connection, then clicks a link to open a secure page, they are prompted to log in again via basic authentication. My client has requested that this second log in be removed.

Is there a way to make the basic authentication persist across the protocol switch (HTTP -> HTTPS) without requiring a log in again?

score 1 · Accepted Answer · answered Jul 02 '14 at 19:29

1

No.

Since your URL is changing, your browser stops sending the Authorization: header even though the realm could be the same over HTTP and HTTPS.

Since basic authentication sends clear text credentials best practice is to redirect all user accesing an URL space that is "secured" with basic authentication to HTTPS.

answered Jul 02 '14 at 19:29

HBruijn

77,029
24
135
201

That's what I thought. Thanks for confirming my suspicions. – Kyle Trauberman Jul 02 '14 at 19:33

score 0 · Answer 2 · answered Jul 03 '14 at 05:24

0

You could try something like ADFS or TMG (or a similar product) to get "Single Sign-On" capabilities.

It is not advised to use basic auth over HTTP.

answered Jul 03 '14 at 05:24

MichelZ

11,068
4
32
59

Persist basic authentication across protocols

2 Answers2