Using www-authenticate for user authentication

Funny that old things like basic HTTP auth are regularly rediscovered by developers.<p>There are also other flavours of authentication that can be used in this context, like Digest, supported by all major browsers and only sending hashed passwords (even on plain http connections).

I always thought you couldn&#x27;t implement logout with HTTP basic auth, but according to this:<p>&gt; logging out is done by simply returning a 401 without www-authenticate header<p>I did not know that worked!

I see an authentication pop-up and groan. If I leave it there it&#x27;ll time out, if I hit &#x27;escape&#x27; or my login fails I&#x27;ll get some generic HTTP server error screen. No password reset box, no contact form, no OAuth&#x2F;SSO login button.

I won&#x27;t get tired of mentioning this - the basic authentication dialog should show a message from the server that is supposed to inform you what kind of credentials to enter. This is super useful for intranets, spam prevention systems and other stuff. Chrome removed this message years ago because of a dubious security report, and Firefox appears to have finally given in and removed it as well. All because someone could MITM your connection and present a login prompt à la &quot;please enter your YouTube credentials&quot; (completely ignoring that if they MITM you, they could serve you a page that really looks like a login page). This change completely ruined the usability of basic authentication.

The big problem with this is that mobile Safari on iOS won&#x27;t autofill passwords for sites using WWW-Authenticate. It used to, but that feature got dropped years ago, which really ticks me off, as I regularly use a couple of sites that use it.

If this is new to you, you can also include the username and password in the url:<p><a href="https:&#x2F;&#x2F;user@example.com&#x2F;page" rel="nofollow">https:&#x2F;&#x2F;user@example.com&#x2F;page</a><p><a href="https:&#x2F;&#x2F;user:pass@example.com&#x2F;page" rel="nofollow">https:&#x2F;&#x2F;user:pass@example.com&#x2F;page</a>

Looking at the MDN page [1], I noticed that SHA2-256 digest authentication was added relatively recently to Firefox (and Firefox for Android). I wonder why they added it, as no other browser manufacturer seems to care and the added benefit of using digest rather than basic auth is only minimal now that every decent website has TLS.<p>Also, interestingly, the support matrix suggests that Firefox for Android supports Kerberos and NTLM authentication. I guess I never expected Kerberos for websites to show up outside of desktop browsers.<p>[1]: <a href="https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;HTTP&#x2F;Headers&#x2F;WWW-Authenticate" rel="nofollow">https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;HTTP&#x2F;Headers&#x2F;WW...</a>

what a coincidence I just wrote about this last night on my blog - <a href="https:&#x2F;&#x2F;blog.aawadia.dev&#x2F;2022&#x2F;02&#x2F;17&#x2F;basic-auth-with-javalin&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.aawadia.dev&#x2F;2022&#x2F;02&#x2F;17&#x2F;basic-auth-with-javalin&#x2F;</a>

I don&#x27;t understand why &quot;no cookies&quot; is listed under &quot;pros&quot;. This works exactly like a session cookie (a header attached to every request to the domain), the only difference is that the header contains your actual plain-text credentials instead of a token. It is at most as secure&#x2F;safe&#x2F;non-invasive as a cookie, and in a lot of situation, a lot less.<p>The obvious way to improve it would be to offer a way for the browser to load a custom form to authenticate and get the (hashed) credentials to present to the original website in the header. And then you have recreated session cookies in full.

Having to do an authentication check on every request is suboptimal, but ok in many cases. It&#x27;s just very unfortunate that more protocol explicitly directing secure interactions between the user and the <i>user-agent</i> in managing identity and authentication never really emerged.

There&#x27;s also NTLM and Negotiate (Kerberos).<p><a href="https:&#x2F;&#x2F;caniuse.com&#x2F;?search=www-authenticate" rel="nofollow">https:&#x2F;&#x2F;caniuse.com&#x2F;?search=www-authenticate</a>

What is the deal with no capitalization? It is distracting because it is almost as if the writer went out of their way to do this while leaving most other grammar intact.

Why is this preferable to authentication using cookies?