HTTP Authentication: Basic and Digest Access Authentication (RFC2617)
Original Publication Date: 1999-Jun-01
Included in the Prior Art Database: 2000-Sep-13
Internet Society Requests For Comment (RFCs)
J. Franks: AUTHOR [+7]
"HTTP/1.0", includes the specification for a Basic Access Authentication scheme. This scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL ), as the user name and password are passed over the network as cleartext.
Network Working Group J. Franks
Request for Comments: 2617 Northwestern University
Obsoletes: 2069 P. Hallam-Baker
Category: Standards Track Verisign, Inc.
Agranat Systems, Inc.
Netscape Communications Corporation
Open Market, Inc.
HTTP Authentication: Basic and Digest Access Authentication
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (1999). All Rights Reserved.
"HTTP/1.0", includes the specification for a Basic Access
Authentication scheme. This scheme is not considered to be a secure
method of user authentication (unless used in conjunction with some
external secure system such as SSL ), as the user name and
password are passed over the network as cleartext.
This document also provides the specification for HTTP's
authentication framework, the original Basic authentication scheme
and a scheme based on cryptographic hashes, referred to as "Digest
Access Authentication". It is therefore also intended to serve as a
replacement for RFC 2069 . Some optional elements specified by
RFC 2069 have been removed from this specification due to problems
found since its publication; other new elements have been added for
compatibility, those new elements have been made optional, but are
Like Basic, Digest access authentication verifies that both parties
to a communication know a shared secret (a password); unlike Basic,
this verification can be done without sending the password in the
clear, which is Basic's biggest weakness. As with most other
authentication protocols, the greatest sources of risks are usually
found not in the core protocol itself but in policies and procedures
surrounding its use.
Table of Contents
1 Access Authentication..................................