When does HTTP Authentication occur? Is one of them by using http://peter:[email protected]?

172 views Asked by At

There seems to be 2 HTTP Authentication: Basic access authentication and Digest access authentication

So I think in general, a user tries to access a URL, and the web server returns 401 Unauthorized, and then the browser pops up an app window, asking for username and password, and then set the credentials in the HTTP headers then sends the HTTP request again.

What about http://peter:[email protected] ? Is that supposed to not wait for the 401 to come back but provide the username and password in advance? Some how, I tried http://peter:[email protected] or yahoo but inside of Fiddler (to monitor net traffic), I don't see any credential info in the HTTP request?

2

There are 2 answers

1
tangentstorm On BEST ANSWER

You still need to send the 401 on the server side. The user:pass@host is just a convenience to avoid displaying the login dialog.

If you think about it, this makes sense, because if you don't send the 401 with the header explaining which method to use, the client doesn't know how to format the credentials.

(There are actually any number of schemes, not just Basic and Digest.)

0
nonopolarity On

For some understanding of it, there is a Railscast that talks about HTTP Basic Authentication and adding it to a Rails project and how it looks like on a browser: http://railscasts.com/episodes/82-http-basic-authentication