Millions of people use the Web to perform private transactions and access private data. The Web makes it very easy to access this information, but easy isn’t good enough. We need assurances about who can look at our sensitive data and who can perform our privileged transactions. Not all information is intended for the general public.

We need to feel comfortable that unauthorized users can’t view our online travel profiles or publish documents onto our web sites without our consent. We need to make sure our most sensitive corporate-planning documents aren’t available to unauthorized and potentially unscrupulous members of our organization. And we need to feel at ease that our personal web communications with our children, our spouses, and our secret loves all occur with a modicum of privacy.

Servers need a way to know who a user is. Once a server knows who the user is, it can decide which transactions and resources the user can access. Authentication means proving who you are; usually, you authenticate by providing a username and a secret password. HTTP provides a native facility for HTTP authentication. While it’s certainly possible to “roll your own” authentication facility on top of HTTP forms and cookies, for many situations, HTTP’s native authentication fits the bill nicely.

This chapter explains HTTP authentication and delves into the most common form of HTTP authentication, basic authentication. The next chapter explains a more powerful technique ...