Theory: Basic authentication

HTTP has a feature called basic authentication. It works as follows.

Imagine you visit a specific page or site that requires authentication. You'll see an authorization window. The browser renders this window and requires you to enter a name and password.

Usually, if you enter incorrect data, the browser will request them again. And if you click Cancel, you'll get an error 401. Any attempt to access a page that requires basic authorization will get a 401 response. However, there's no difference between sending a form with incorrect data and clicking Cancel.

As a result, the browser renders this form when it encounters a 401 error. It works simply: either you send the correct data or get a 401 error. No magic, no way to get around it.

Let's see what data is required for such an interaction:

HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="My Server"
Content-Length: 0

You can't log in, and you'll see Access Denied with the following header from the WWW-Authenticate: Basic realm="My Server". There is a key in this header, which value is displayed in the dialog box. It isn't used anywhere else.

After entering your username and password, the following headers will be sent:

GET /securefiles/ HTTP/1.1
Host: www.httpwatch.com
Authorization: Basic aHR0cHdhdGNoDmY=

Firstly, these are standard headers for HTTP 1.1. Secondly, there is the Authorization header, which has the mandatory word Basic and an encoded phrase after the space. This phrase consists of a username and password, encoded in base64:

<username>:<password>

That's all that's needed. After sending the correct data, authentication takes place, and you can enter the site or page you have accessed.