Figure 9-1. Netscape requests a username and password
This support doesn't authenticate a user or provide authorization to access a resource or service. The server needs the encoded username and password to establish the user's credentials and then decide if the user is authorized to receive the requested resource. How the server performs the authentication depends on the application. An Apache server, configured to protect resources with authentication, uses a file that contains a list of usernames and encrypted passwords, while other applications might use a table of users in a database.
How HTTP Authentication Works
Figure 9-2 shows the interaction between a web browser and a web server when a request is challenged The browser sends a request for a resource stored on the server. The server sends back a challenge response with the status code set to 401 Unauthorized
, and the header field WWW-Authenticate
. The WWW-Authenticate
field contains parameters that instruct the browser on how to meet the challenge. The browser may need to prompt for a username and password to meet the challenge. The browser then resends the request, including the Authorization
header field that contains the credentials the server requires.
Example 9-1 shows the HTTP response sent from an Apache server when a request is made for a resource that requires authentication.