Menu
How would a preflighted HTTP request look like if you include Basic auth? Like the following conversation? Im having trouble to understand which headers need to be sent where, also because its not possible to debug it properly with Firebug
Client:
OPTIONS /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Origin: http://jsconsole.com
Server:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
Client:
GET /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Access-Control-Allow-Credentials: true
Origin: http://jsconsole.com
Server:
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
WWW-Authenticate: Basic realm="Authorisation Required"
Client:
GET /api/resource HTTP/1.1
Access-Control-Allow-Credentials: true
Authorization: Basic base64encodedUserAndPassword
Access-Control-Request-Method: GET
Origin: http://jsconsole.com
Server:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
556
Note: The HTTP basic authentication scheme can be considered secure only when the connection between the web client and the server is secure. If the connection is insecure, the scheme does not provide sufficient security to prevent unauthorized users from discovering the authentication information for a server.
Basic auth is just that: basic. But basic auth is designed for auth, and cookies are not. Cookies are an abuse over the http protocol, which has nice hooks and error codes and everything if used properly (and basic auth is proper in this aspect).
HTTP basic authentication is a simple challenge and response mechanism with which a server can request authentication information (a user ID and password) from a client. The client passes the authentication information to the server in an Authorization header. The authentication information is in base-64 encoding.
If you're requesting credentials then the server must respond with the specific origin in the Access-Control-Allow-Origin response header (and thus can't use the wildcard *). Of course it would then also need to respond with Access-Control-Allow-Credentials response header too.
114
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
