Here i am again… The tradition of the “hardcores or masochists” series keeps going on. Now, i am onto the simple authorization of the http. You must have used an .htaccess file before to protect some folder from the public. You must have also read the apache documentation that says this is not safe and you should not use it to keep data extremely safe. Here is how it works…
The client proceeds with a request as normal from the webserver, since he does not know if this section (or realm as it is called) is protected or not. A dump from a simple request could be something like the following (in the “HTTP for hardcores or… masochists!” there is a more detailed description):
GET / HTTP/1.1
Host: 127.0.0.1:2020
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; el; rv:1.8.1.13) Gecko/2008
0311 Firefox/2.0.0.13
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Accept-Language: el-gr,el;q=0.7,en-us.;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-7,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If the server is protected with basic http authorization it will respond with something like this:
HTTP\1.1 401 Unauthorized
Server: someserver.com
Date: Tue, 15 Apr 2008 18:04:55 GMT
WWW-Authenticate: Basic realm="Foo Realm"
Content-Type: text/html
Connection: close
Please note the header HTTP\1.1 401 Unauthorized and after that the WWW-Authenticate: Basic realm=”Foo Realm”. The first one means that the current location is protected and we are not allowed to access it. The second one “challenges” (as we call it) us to authenticate our selfs. At this point, our browser should pop-up a window for us to input or login credentials.
Please note that above headers, will follow a custom error HTML message (saying we are not authorized). This is the message that the browser displays if we fail the challenge, i.e. if we input wrong login credentials (and for most browsers if we do that for three times). If we pass the authentication we get our page.
When the user has entered the login details and clicked “OK”, “Submit” or whatever then the browser actually makes a new request, a bit changed this time. Here is a dump of an authentication sent from the browser to the server:
GET / HTTP/1.1
Host: 127.0.0.1:2020
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; el; rv:1.8.1.13) Gecko/2008
0311 Firefox/2.0.0.13
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Accept-Language: el-gr,el;q=0.7,en-us.;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-7,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic Zm9vOmJhcg==
Everything looks perky and nice, similar to the ones we know except for this header Authorization: Basic Zm9vOmJhcg==. Here is where the browser says “Hey i have this login credentials for this realm”. Essentialy, what this header is, it says that the authentication process is a Basic HTTP 1.1 authentication and the username and password are: Zm9vOmJhcg==. Well, they look jiberish because they are Base64 encoded. You can use any Base64 converter such as this one. If you do that, you will get the username and password i entered, delimited with a “:”, “foo:bar”.
Easy huh? Well, that’s the point. As always, with these stuff, there is an RFC for HTTP Authentication here. So, apache docs are right. Do not use this method of protection if you want to be sure your scripts will be safe.
One pointer here, this authentication is not session based, which means that each time the browser needs to access the “realm”, should send the authenitcation header. The reason why you don’t input your password all the time, and only once, making it seem session based, is that your browser is smart enough to remember that this realm needs this passowrd.
As always, i am open for comments, as a matter of fact i’d be glad to have some!