问题描述

任何人都可以解释身份验证的工作原理吗？浏览器是否使用 user发送授权标头：传递是否为base-64编码？

Can anyone explain how http://user:[email protected] authentication works? Does the browser send the Authorization header with user:pass being base-64 encoded?

我在Chrome开发者工具中打开了Net控制台，当我发出请求时，例如 http：// user：[email protected] 我没有看到授权标题被添加。

I opened the Net console in Chrome developer tools and when I do request such as http://user:[email protected] I do not see Authorization header being added.

我真的很好奇浏览器发送密码以防我在网址前使用 user：pass @ 。

I am really curious to how the browser sends the password in case I use user:pass@ in front of a URL.

推荐答案

要检查标头，您需要针对需要身份验证的服务器进行测试。客户端将不会发送任何授权标头，直到服务器请求它，因为客户端将不知道服务器需要什么样的身份验证方法（基本或摘要）。

To inspect headers, you need to test against a server that requires authentication. The client will not send any Authorization header until the server asks for it since the client won't know what authentication method the server requires (basic or digest).

HTTP身份验证在两个请求中完成：

HTTP authentication is done in two requests:

首先，请求没有发送任何授权标头。
然后服务器以 WWW-Authenticate 响应，告诉客户端如何进行身份验证。这包括领域名称和身份验证方法（同样，这是基本或摘要）

First, a request without any Authorization header is sent.The server then responds with a WWW-Authenticate that tells the client how to authenticate. This includes a realm name and an authentication method (again, this is either basic or digest)

然后客户端发送一个带有额外的新请求授权标题。对于，此标头只是 user：pass base64编码，就像你说的那样：

The client then sends a new request with an additional Authorization header. In the case of basic authentication, this header is just user:pass base64 encoded, just as you are saying:

Authorization: Basic dXNlcjpwYXNz

现在密码在传输过程中可见，除非您使用的是https。更好的选择是，其中 WWW-Authenticate的内容和授权最好由。 ：）

Now the password is visible in transit, unless you are using https. A better option is digest authentication, where the contents of both WWW-Authenticate and Authorization are best explained by the wikipedia article. :)

这篇关于http：// user：[email protected]身份验证如何工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！