4

I have a web service that requires a BASIC authentication header to be present in the request, or the service will return an HTTP 401 (unauthorized). This works - when the challenge comes back, the browser (in this case, Chrome) pops up and asks for the credentials. They are then saved for future requests.

My problem is that now two requests are being made on each subsequent request to the service - one without auth (which receives a 401), and then the browser immediately replies with the correct auth in the header.

Is there a way to force the browser (maybe via a special header) to supply credentials without having to be explicitly asked by the web service every time?

theMayer
  • 15,456
  • 7
  • 58
  • 90

1 Answers1

3

I do not believe it is possible to force the browser to preempt the 401. When a request for your service is made the service responds with HTTP 401 and adds the WWW-Authenticate Basic header as well as, I'm guessing, a realm (which you can define).

It would be worth taking a look at the RFC for basic authentication which goes into details in how the basic authentication standards should be implement. http://www.ietf.org/rfc/rfc2617.txt

You can also look into implementing your own HTTP Module which should give you more flexibility in your application and how you handle basic authentication. This allows you to register event handlers for Authenticate and End Request events and dictate with a bit more clarity how your service will deal with basic auth. A primer for this is available on the asp.net website. http://www.asp.net/web-api/overview/security/basic-authentication

If your services utilize different authentication based on your applications authentication (e.g. the service will only use basic authentication when the application is configured for forms authentication) than using an HTTP Module will allow you to conditionally use basic authentication. I typically register my handlers in this scenario like this:

AuthenticationSection config = (AuthenticationSection)WebConfigurationManager.GetSection("system.web/authentication");

if(config.Mode == AuthenticationMode.Forms)
{
    module.Authenticate += OnEnter;
    context.EndRequest += OnLeave;
}
Timothy Randall
  • 17,634
  • 1
  • 15
  • 27
  • +1; I already handle the basic auth server-side myself, as well as respond with the header, and the browser eventually figures it out. My problem is with the browser, and I didn't know if there is a standard way to make it behave better. – theMayer Apr 13 '13 at 05:10
  • I believe you are correct in your observations in paragraphs 1 and 2 (the rest of the post is not really relevant to my situation). This issue appears to have been resolved in a later version of Chrome as it now sends auth automatically. – theMayer Jul 05 '13 at 17:13
  • Why is this even the standard? – Philip Dec 21 '16 at 10:30