6

Can anyone explain how http://user:pass@host.com authentication works? Does the browser send the Authorization header with user:pass being base-64 encoded?

I opened the Net console in Chrome developer tools and when I do request such as http://user:pass@stackoverflow.com I do not see Authorization header being added.

I am really curious to how the browser sends the password in case I use user:pass@ in front of a URL.

bodacydo
  • 75,521
  • 93
  • 229
  • 319
  • 3
    It is just the authorisation headers. I don't know how Chrome does it, but with Firefox it checks if the site is asking for authentication (in the request) and if it isn't, warns you that `You are about to log in to the site "stackoverflow.com" with the username "user", but the website does not require authentication. This may be an attempt to trick you. Is "stackoverflow.com" the site you want to visit?` And then it either [Yes] cuts out the auth details or [No] aborts the request. So unless you've got a site with authorisation handy, you *won't* see the headers. – Chris Morgan Oct 20 '11 at 12:59

1 Answers1

5

To inspect headers, you need to test against a server that requires authentication. The client will not send any Authorization header until the server asks for it since the client won't know what authentication method the server requires (basic or digest).

HTTP authentication is done in two requests:

First, a request without any Authorization header is sent. The server then responds with a WWW-Authenticate that tells the client how to authenticate. This includes a realm name and an authentication method (again, this is either basic or digest)

The client then sends a new request with an additional Authorization header. In the case of basic authentication, this header is just user:pass base64 encoded, just as you are saying:

Authorization: Basic dXNlcjpwYXNz

Now the password is visible in transit, unless you are using https. A better option is digest authentication, where the contents of both WWW-Authenticate and Authorization are best explained by the wikipedia article. :)

Martin
  • 37,119
  • 15
  • 73
  • 82