Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Understanding the purpose of "realm" in Basic WWW Authentication

I'm having difficulty understanding the purpose of the "realm" value in the WWW-Authenticate header used for basic HTTP authentication.

This question asks what the "realm" value is - and the answer seems pretty straightforward. The "realm" is sort of like a namespace, indicating a collection of protected resources.

Okay, so I get the abstract concept. But in practice, especially from the perspective of an HTTP client, how does "realm" actually help?

When authenticating over HTTP, the basic workflow seems to be:

  • (1) The server issues a challenge in the form of a WWW-Authenticate header

  • (2) The client responds with an Authorization header, along with a base64 encoded string containing the username and password.

  • (3) The Client is now granted access (or denied if credentials are wrong)

So where in any of this should the client have to care about the "realm" value sent by the server?

It's my understanding that if the client wants to access a protected resource again, the only thing necessary is to send the "Authorization" header again. So... again, how does the "realm" play into all of this?

Just to be clear... I understand what a "realm" is conceptually... I just don't see how it's used in practice by HTTP clients.

like image 941
Siler Avatar asked Apr 19 '14 15:04

Siler


People also ask

What does realm mean in basic authentication?

The basic-auth-realm command specifies the realm name for basic authentication. The realm name is the text that is displayed in the dialog box that appears when the browser prompts the user for login data. The realm name is also the name of the realm to which the user is authenticated.

What is a realm in Internet?

A realm is an internet domain whose Fully-Qualified Domain Names (FQDNs) typically all share a domain designation. For example, example.com could be a Realm name, and the addressable hosts in the Realm would have names like host1.example.com, host2.subdomain1.example.com, and so on.

What is realm value?

The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme. In short, pages in the same realm should share credentials.

What is the purpose of HTTP authentication?

HTTP basic authentication is a simple challenge and response mechanism with which a server can request authentication information (a user ID and password) from a client. The client passes the authentication information to the server in an Authorization header.


1 Answers

I just don't see how it's used in practice by HTTP clients.

The browser will not ask the user for credentials while the realm stays the same. So if you log on to http://example.com/ApplicationA which provides a certain realm value, then http://example.com/ApplicationB using the same realm can reuse the credentials the user entered for application A because their "canonical root URL" is the same (http://example.com), so the browser doesn't have to pop up the credentials form again.

Browsers seem to implement this differently though, depending on what part of the URI changes some will ask for credentials again even if realm and canonical root URL stay the same.

like image 90
CodeCaster Avatar answered Sep 21 '22 05:09

CodeCaster