When does HTTP Authentication occur? Is one of them by using http://peter:mypassword@www.somesite.com?

Question

There seems to be 2 HTTP Authentication: Basic access authentication and Digest access authentication

So I think in general, a user tries to access a URL, and the web server returns 401 Unauthorized, and then the browser pops up an app window, asking for username and password, and then set the credentials in the HTTP headers then sends the HTTP request again.

What about http://peter:mypassword@www.somesite.com ? Is that supposed to not wait for the 401 to come back but provide the username and password in advance? Some how, I tried http://peter:mypassword@www.google.com or yahoo but inside of Fiddler (to monitor net traffic), I don't see any credential info in the HTTP request?

Answer 1

You still need to send the 401 on the server side. The user:pass@host is just a convenience to avoid displaying the login dialog.

If you think about it, this makes sense, because if you don't send the 401 with the header explaining which method to use, the client doesn't know how to format the credentials.

(There are actually any number of schemes, not just Basic and Digest.)

Answer 2

For some understanding of it, there is a Railscast that talks about HTTP Basic Authentication and adding it to a Rails project and how it looks like on a browser: http://railscasts.com/episodes/82-http-basic-authentication