问题描述
任何人都可以解释身份验证的工作原理吗?浏览器是否使用 user发送
是否为base-64编码? 授权
标头:传递
Can anyone explain how http://user:[email protected] authentication works? Does the browser send the Authorization
header with user:pass
being base-64 encoded?
我在Chrome开发者工具中打开了Net控制台,当我发出请求时,例如 http:// user:[email protected]
我没有看到授权
标题被添加。
I opened the Net console in Chrome developer tools and when I do request such as http://user:[email protected]
I do not see Authorization
header being added.
我真的很好奇浏览器发送密码以防我在网址前使用 user:pass @
。
I am really curious to how the browser sends the password in case I use user:pass@
in front of a URL.
推荐答案
要检查标头,您需要针对需要身份验证的服务器进行测试。客户端将不会发送任何授权
标头,直到服务器请求它,因为客户端将不知道服务器需要什么样的身份验证方法(基本或摘要)。
To inspect headers, you need to test against a server that requires authentication. The client will not send any Authorization
header until the server asks for it since the client won't know what authentication method the server requires (basic or digest).
HTTP身份验证在两个请求中完成:
HTTP authentication is done in two requests:
首先,请求没有发送任何授权
标头。
然后服务器以 WWW-Authenticate
响应,告诉客户端如何进行身份验证。这包括领域名称和身份验证方法(同样,这是基本或摘要)
First, a request without any Authorization
header is sent.The server then responds with a WWW-Authenticate
that tells the client how to authenticate. This includes a realm name and an authentication method (again, this is either basic or digest)
然后客户端发送一个带有额外的新请求授权
标题。对于,此标头只是 user:pass
base64编码,就像你说的那样:
The client then sends a new request with an additional Authorization
header. In the case of basic authentication, this header is just user:pass
base64 encoded, just as you are saying:
Authorization: Basic dXNlcjpwYXNz
现在密码在传输过程中可见,除非您使用的是https。更好的选择是,其中 WWW-Authenticate的内容
和授权
最好由。 :)
Now the password is visible in transit, unless you are using https. A better option is digest authentication, where the contents of both WWW-Authenticate
and Authorization
are best explained by the wikipedia article. :)
这篇关于http:// user:[email protected]身份验证如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!