Shulou(Shulou.com)06/02 Report--

one。 Basic certification

After the client connects the user name and password with ":", it is encrypted by BASE64 and then sends the ciphertext to the server through the Authorization request header for verification. Each request needs to be sent repeatedly. It can be seen that the Basic authentication process is simple, the security is also low, there are divulging personal account information and many other security problems. The following is a demonstration of the principle only and does not represent the real situation:

The client requests data from the server:

GET / HTTP/1.1

Host: www.myrealm.com

The server sends an authentication request 401 to the client:

HTTP/1.1 401 Unauthorised

Server: bfe/1.0.8.18

WWW-Authenticate: Basic realm= "myrealm.com"

Content-Type: text/html; charset=utf-8

When the client receives the 401 return value, a login window pops up automatically, waiting for the user to enter a user name and password

The "user name: password" is encrypted by BASE64 and sent to the server for verification:

GET / HTTP/1.1

Host: www.myrealm.com

Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxx

The server takes out the Authorization request header information for decryption and compares it with the user database to determine whether it is legal or not. 200 OK will be returned if the request is legal. Basic authentication in RFC 2617 specification does not send Authentication-Info headers. Authentication-Info headers are added to Digest authentication.

one

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.