Basic authentication is the most prevalent HTTP authentication protocol. Almost every major client and server implements basic authentication. Basic authentication was originally described in the HTTP/1.0 specification, but it has since been relocated into RFC 2617, which details HTTP authentication.
In basic authentication, a web server can refuse a transaction, challenging the client for a valid username and password. The server initiates the authentication challenge by returning a 401 status code instead of 200 and specifies the security realm being accessed with the WWW-Authenticate response header. When the browser receives the challenge, it opens a dialog box requesting the username and password for this realm. The username and password are sent back to the server in a slightly scrambled format inside an Authorization request header.
Figure 12-2, earlier in this chapter, showed a detailed example of basic authentication:
In Figure 12-2a, a user requests the personal family photo /family/jeff.jpg.
In Figure 12-2b, the server sends back a 401 Authorization Required password challenge for the personal family photo, along with the WWW-Authenticate header. The header requests basic authentication for the realm named Family.
In Figure 12-2c, the browser receives the 401 challenge and pops open a dialog box asking for the username and password for the Family realm. When the user enters the username and password, the browser joins them ...