As mentioned earlier, information about HTTP-Auth can be found in abundance on the Internet—most sites based on web scripting have several scripts to cause a client to open an authentication dialog box (like the one in Figure 2) and capture the data for use within the script. However, since an understanding of HTTP-Auth is important in order to use the technique highlighted in this series, I’ll briefly cover some HTTP-Auth basics here.
HTTP-Auth relies mostly on the web server realizing that requested information is protected and requires authentication—namely, a username and password—to access the information. Instead of returning the requested information, the web server sends a 401 Unauthorized response code to the browser. Then the browser repeats the request, including the appropriate credentials to access the information in the header of the request. To get the appropriate credentials, most clients (browsers such as Microsoft Internet Explorer or Mozilla Firefox) pop up a dialog box to prompt the user for the credentials. The user’s response is then encoded and sent in the repeated request for the information.
The basic HTTP process looks similar to the diagram shown in Figure 3.
Figure 3 The HTTP-Auth process, showing server, client, and user interaction.
Textually, the process resembles the following procedure:
- The client (browser) sends a request for information to the server.
- The server determines whether the information requires authentication to
access, and responds in one of the following ways:
- If authentication is necessary, the server sends a 401 response code.
- If authentication is not necessary, the server sends the requested information.
- If the client receives the 401 response code, the user is prompted for the appropriate credentials. Then a repeated request for the information is sent to the server, incorporating the necessary credentials (as input from the user).
Although the server will send as many 401 Unauthorized codes as necessary, most clients will give up prompting for authentication information after three attempts, and thereafter will display an appropriate 401 response page. Also note that most browsers will cache the authentication information and supply it automatically as needed during the current session. That’s why the only real way to "log out" of some sites is to close all instances of your browser—that action effectively removes the cached HTTP-Auth info from memory, causing the authentication dialog box to appear again upon the next visit to the site.