previous | start | next

The Authorization Request Header

The "Basic" form of authentication used in HTTP is slightly strange. It takes a user-ID string and a password string and concatenates them using a colon character as a separator. The resulting string is then encoded using the base64 scheme, and included into a new request header.
 
Let's use as an example, a page for which the username is "student", password "student" -- pretty typical :-). The concantenation is thus "student:student". We can use the Unix commandline base64 program mimencode to encode the data, (it encodes to "c3R1ZGVudDpzdHVkZW50") so that the request header will look something like: 
GET /subjects/CN/test/index.html HTTP/1.0
Authorization: Basic c3R1ZGVudDpzdHVkZW50
....etc....
This, of course, begs the obvious question -- why on earth do they do this? The obvious answer is "for security reasons" -- to deter casual network snoopers who might be observing traffic, watching for passing user-IDs and passwords. We are left wondering...
 
Lecture 06: Applications #3.2: HTTP Copyright © 2005 P.Scott, La Trobe University Bendigo.

previous | start | next