User Login

Rather than passively trying to guess the identity of a user from his IP address, a web server can explicitly ask the user who he is by requiring him to authenticate (log in) with a username and password.

To help make web site logins easier, HTTP includes a built-in mechanism to pass username information to web sites, using the WWW-Authenticate and Authorization headers. Once logged in, the browsers continually send this login information with each request to the site, so the information is always available. We’ll discuss this HTTP authentication in much more detail in Chapter 12, but let’s take a quick look at it now.

If a server wants a user to register before providing access to the site, it can send back an HTTP 401 Login Required response code to the browser. The browser will then display a login dialog box and supply the information in the next request to the browser, using the Authorization header.^[2] This is depicted in Figure 11-2.

Figure 11-2. Registering username using HTTP authentication headers

Here’s what’s happening in this figure:

In Figure 11-2a, a browser makes a request from the www.joes-hardware.com site.
The site doesn’t know the identity of the user, so in Figure 11-2b, the server requests a login by returning the 401 Login Required HTTP response code and adds the WWW-Authenticate header. This causes the browser to pop up a login dialog box.
Once the ...

Get HTTP: The Definitive Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

HTTP: The Definitive Guide by David Gourley, Brian Totty, Marjorie Sayer, Anshu Aggarwal, Sailu Reddy

User Login

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly