A typical
authentication scenario proceeds like this:
1. The client requests a restricted resource.
2. The server responds to this request with a 401 (Unauthorized access)
response message.
3. The client (browser) recognizes the 401 response and produces a pop-up
authentication prompt similar to the one shown in Figure 14-1. Most modern
browsers are capable of understanding HTTP authentication and offering
appropriate capabilities, including Internet Explorer, Netscape Navigator,
Mozilla, and Opera.
4. The user-supplied credentials (namely, the username and password) are sent
back to the server for validation. If the user supplies correct credentials, access is
granted; otherwise it??™s denied.
5. If the user is validated, the browser stores the authentication information
within its authentication cache. This cache information remains within the
browser until the cache is cleared, or until another 401 server response is sent
to the browser.
Figure 14-1. An authentication prompt
Although HTTP authentication effectively controls access to restricted resources,
it does not secure the channel in which the authentication credentials travel. That is,
CHAPTER 14 ?– AUTHENTICATING YOUR USERS 367
it is fairly trivial for a well-positioned attacker to sniff, or monitor, all traffic taking
place between a server and a client. Both the supplied username and password are
included in this traffic, both unencrypted.
Pages:
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443