Proxy Web Servers and Authentication > Authentication systems

How web clients authenticate to servers

• The most popular form is called "Basic Authentication"

1. The client makes a normal request for a page. The server determines that authentication is required for that page.
2. The server returns a WWW-Authenticate header, and the browser displays a login box with the realm string supplied by the server.
       WWW-Authenticate: Basic realm="WallyWorld"
3. The browser accepts the login and password from the user, creates a string in the form "<login>:<password>", encodes it with Base-64, and sends that in an Authorization header back to the server with the same URL request.
       Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
4. The server decodes the Base-64 string, separates the login and password, and checks the credentials.

• Problem? Easy to decrypt!
• Other forms exist, but are not widely supported.
• Recommendation?