Automating HTTP Authentication with Scripting, Part 2: Rebooting a Password-Protected Router with a Script
Back to the Key: The HTTP Authorization Header
Part 1 of this series covered how HTTP communication works and what information gets passed between client and server in an HTTP-Auth session. But where does the web server look for the appropriate credentials for its HTTP-Auth use? It searches an HTTP header named Authorization, which takes the following form:
Authorization: Basic <"username:password" in base64 encoding>
The header specifies that the authorization is Basic (not Digest) and includes the username and password, separated by a colon (:) and base64 encoded. For example, suppose the username is hero and the password is goat. The PHP code in Listing 1 would build an appropriate Authorization header, stored in the variable $auth_header.
Listing 1 Using PHP to build the Authorization header.
// A somewhat verbose build of a valid Authorization header // Set the username and password $user = "hero"; $pass = "goat"; // Encode user:password $userpass = base64_encode($user . ":" . $pass); // Include encoded user/pass in the rest of the header $auth_header = "Authorization: Basic " . $userpass;
The trick then becomes including an appropriate and valid Authorization header in each request to a server that requires authentication—from the very first request to the last.