基本身份验证不是无状态的 [英] Basic Authentication not stateless

问题描述

我尝试在CakePHP API中使用基本身份验证，我可以使用jQuery来交流。

I'm trying to use Basic Authentication in a CakePHP API that I can talk to using jQuery.

运行此代码运行正常：

$.ajax({
        type: 'GET',
        url: 'http://username:password@domain.com',
        dataType: 'jsonp',
        success: function(data) {
                console.log(data);
        }
});

注意：我把用户名和密码放在URL中，使用JSONP作为数据类型发送，然后使用beforeSend等。

但是，然后，运行上面的代码作为REPLACEMENT工作（通知我不再发送用户名和密码）。

However, then running this code as a REPLACEMENT for the above AFTER running the above also works (notice I'm not sending the username and password anymore).

$.ajax({
        type: 'GET',
        url: 'http://domain.com',
        dataType: 'jsonp',
        success: function(data) {
                console.log(data);
        }
});

浏览器正在记住用户，因此代码不再需要头文件来请求CakePHP API。

The browser is remembering the user, so the code no longer needs the headers to make requests to the CakePHP API. But if it's stateless... this shouldn't be happening right?

我认为你必须将每个请求的标题发送到基本身份验证？

任何人都可以解释这个问题吗？

Can anyone explain this?

推荐答案

请求服务器实际在响应标头中发出一个WWW-Authenticate字段，并向您回复一个挑战认证，要求您输入正确的用户名和密码。

During the first request the server actually issues a WWW-Authenticate field in the response headers and responds to you a challenge authentication asking you to enter a correct username and password. In your case you included them to the URL.

下次再次向服务器发送请求时，客户端的请求标头现在将包含一个授权字段（即授权：基本c2RmZ2RmZzpkYWRmZHNmcw == ）。 c2RmZ2RmZzpkYWRmZHNmcw == 基本上是一个基本64编码的字符串，客户端包括到每个后续请求的标头，以便服务器不会每次都使用质询验证响应。通过对字符串进行base 64解码，您将看到该值基本上是用户名和密码的组合（例如 dfgdfg：dadfdsfs ），格式为< username>：< password> 。

The next time you send a request again to the server, the client's request header will now have an Authorization field included in it (i.e. Authorization: Basic c2RmZ2RmZzpkYWRmZHNmcw==). c2RmZ2RmZzpkYWRmZHNmcw== is basically a base 64 encoded string that the client includes to the headers for every succeeding requests so that the server will not respond with a challenge authentication each time. By doing a base 64 decode to the string you will see that the value is basically a combination of username and password (i.e. dfgdfg:dadfdsfs) in the format <username>:<password>.

现在如果您尝试关闭浏览器，授权字段将被销毁，当您尝试再次发出请求时，将再次询问正确的用户名和密码。实际上，您可以绕过在纯文本中包含URL中的用户名和密码。只需在请求标头中包含授权字段。只要确保：value是base 64编码正确，并包括类型 Basic 。

Now if you try to close the browser the Authorization field will be destroyed and the server will ask again for the correct username and password once you try to issue a request again. You can actually bypass including the username and password in the URL in plain text. Just include an Authorization field in your request header. Just be sure that the : value is base 64-encoded correctly and include the type Basic to it.

这篇关于基本身份验证不是无状态的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！