Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Can anyone explain how http://user:pass@host.com authentication works? Does the browser send the Authorization header with user:pass being base-64 encoded?
I opened the Net console in Chrome developer tools and when I do request such as http://user:pass@stackoverflow.com I do not see Authorization header being added.
I am really curious to how the browser sends the password in case I use user:pass@ in front of a URL.
To inspect headers, you need to test against a server that requires authentication. The client will not send any
Authorizationheader until the server asks for it since the client won’t know what authentication method the server requires (basic or digest).HTTP authentication is done in two requests:
First, a request without any
Authorizationheader is sent.The server then responds with a
WWW-Authenticatethat tells the client how to authenticate. This includes a realm name and an authentication method (again, this is either basic or digest)The client then sends a new request with an additional
Authorizationheader. In the case of basic authentication, this header is justuser:passbase64 encoded, just as you are saying:Now the password is visible in transit, unless you are using https. A better option is digest authentication, where the contents of both
WWW-AuthenticateandAuthorizationare best explained by the wikipedia article. 🙂