RE: HTTP Basic Authentication from Joris Dobbelsteen on 2004-02-27 (ietf-http-wg@w3.org from January to March 2004)

From: Joris Dobbelsteen <joris.dobbelsteen@mail.com>
Date: Fri, 27 Feb 2004 16:23:52 +0100
To: "'Jim Flath'" <jim_flath@yahoo.com>
Cc: "WWW WG" <ietf-http-wg@w3.org>
Message-Id: <20040227152346.992C11CD22@smtp6.wanadoo.nl>

Jim,
 
I'm using IIS6 w IE6 and here the logs shows up the following situation:
Every request to a page that requests authentication will have the 401 200
sequence.
The exception counts for pictures that are part of the HTML page, where IE
instantly authenticates.
 
The use of cookies can indeed save some round-trips to the server. Because
of the use of HTTPS this would be safe enough, though authentication would
be a lot safer. Adverseries might guess the session identifier. Usually this
risk is quite small, though...
 
The inefficiency was done because of security reasons, I assume. If you
authenticate, you send you password out into the open, which is not quite
safe.
 
Note that in the cookies the session identifier is stored and is used to
match the session on the server.
 
- Joris
 



  _____  

From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On
Behalf Of Jim Flath
Sent: Friday, 27 February 2004 14:36
To: ietf-http-wg@w3.org
Subject: HTTP Basic Authentication



I am building a system that is constructed using servlets and JSPs, I also
utilize Sessions and client cookies.  

 

I am curious if I am truly implementing Basic Authentication or a mutated
version of that.  Here is the flow:

 

First request:

Client makes initial request to a secure resource.

Server finds no session data to indicate previous authentication.

Server checks header values for credentials, no credentials found, replies
with a 401 status code.

Client receives 401 and prompts for credentials, receives user input and
sends the authentication header data.

Server interrogates the header data and authenticates the user to the realm

Server saves user data and flags in the session to indicate that they have
successfully authenticated to the realm.

Server serves up the resource.

 

Subsequent request with a valid session:

Client request to same or different secure resource within the same realm.

Session is still valid and server finds authentication flags in the session,
does NOT resend 401 status code.

Server serves up the resource.

 

Subsequent request with invalid session:

Subsequent request to same or different secure resource within the same
realm.

Session has been invalidated, no session data found.

Server checks header values for credentials, no credentials found, replies
with a 401 status code.

Client receives 401 and sends cached credentials in the authentication
header.

Server interrogates the header data and authenticates the user to the realm

Server saves user data and flags in the session to indicate that they have
successfully authenticated to the realm.

Server serves up the resource.

 

Does the server need to reply with a 401 for each and every request to a
secure resource within the same realm to say I am using Basic
Authentication?  That type of model would seem to be inefficient. I
understand that HTTP is a stateless transaction, but with the addition of
sessions and cookies the entire transaction becomes stateful to a point.

 

FYI, the entire transaction is accomplished using HTTPS/SSL.

 




  _____  

Do you Yahoo!?
Get better spam protection with Yahoo!
<http://us.rd.yahoo.com/mailtag_us/*http://antispam.yahoo.com/tools> Mail

Received on Friday, 27 February 2004 10:23:49 UTC