http://user:pass@host.com 身份验证如何工作? [英] How does http://user:pass@host.com authentication work?

问题描述

谁能解释一下http://user:pass@host.com 身份验证的工作原理?浏览器是否发送 Authorization 标头，user:pass 是 base-64 编码的?

Can anyone explain how http://user:pass@host.com authentication works? Does the browser send the Authorization header with user:pass being base-64 encoded?

我在 Chrome 开发人员工具中打开了 Net 控制台，当我执行诸如 http://user:pass@stackoverflow.com 之类的请求时，我没有看到 Authorization 标头正在添加中.

I opened the Net console in Chrome developer tools and when I do request such as http://user:pass@stackoverflow.com I do not see Authorization header being added.

如果我在 URL 前面使用 user:pass@，我真的很好奇浏览器如何发送密码.

I am really curious to how the browser sends the password in case I use user:pass@ in front of a URL.

推荐答案

要检查标头，您需要针对需要身份验证的服务器进行测试.在服务器请求之前，客户端不会发送任何 Authorization 标头，因为客户端不知道服务器需要哪种身份验证方法(基本或摘要).

To inspect headers, you need to test against a server that requires authentication. The client will not send any Authorization header until the server asks for it since the client won't know what authentication method the server requires (basic or digest).

HTTP 身份验证在两个请求中完成:

HTTP authentication is done in two requests:

首先，发送一个没有任何Authorization 标头的请求.然后服务器以 WWW-Authenticate 响应，告诉客户端如何进行身份验证.这包括领域名称和身份验证方法(同样，这是基本或摘要)

First, a request without any Authorization header is sent. The server then responds with a WWW-Authenticate that tells the client how to authenticate. This includes a realm name and an authentication method (again, this is either basic or digest)

客户端然后发送一个带有附加Authorization 标头的新请求.在基本身份验证的情况下，此标头只是user:passbase64 编码，正如你所说:

The client then sends a new request with an additional Authorization header. In the case of basic authentication, this header is just user:pass base64 encoded, just as you are saying:

Authorization: Basic dXNlcjpwYXNz

现在密码在传输中可见，除非您使用 https.更好的选择是 digest authentication，其中 WWW-Authenticate 和 Authorization 最好由 维基百科文章 解释.:)

Now the password is visible in transit, unless you are using https. A better option is digest authentication, where the contents of both WWW-Authenticate and Authorization are best explained by the wikipedia article. :)

这篇关于http://user:pass@host.com 身份验证如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！