Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the HTTP_AUTHORIZATION environment variable?

Tags:

http-headers

environment-variables

webserver

HTTP_AUTHORIZATION seems to be a server side environment variable, but what values can it be? Are there examples? Is it set by some HTTP headers?

Also, how does it look like on the browser side when it asks for username and password (is it an HTML form or is it a popup box that asks for username and password (which is modal and so if not clicking OK or Cancel, then the browser cannot be click on)).

Usually, a user login form will POST to the server with POST variables such as

username=peter&password=123

so what is this HTTP_AUTHORIZATION about?

like image 654
nonopolarity Avatar asked Feb 24 '11 20:02

nonopolarity

1 Answers

Just so we're on the same page, a typical POST request looks something like this:

POST /some/page HTTP/1.1                            <-- request line
Host: www.example.com                               <-------------------\
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers
Content-Length: 27                                  <-------------------/
... some other headers ...
                                                    <-- blank line
username=peter&password=123                         <-- POST data, if any

The environment variables beginning HTTP_ are a hangover from the days when CGI scripts were the main way to serve dynamic content, and they indicate to your server-side code that the client supplied a particular header as part of the request. From the CGI spec:

Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name.

The Authorization: header used in a number of HTTP authentication mechanisms; the usual flow is:

  1. browser attempts to request a page
  2. server responds with "401 Unauthorized" and a WWW-Authenticate: header containing a scheme and (sometimes) a challenge
  3. browser prompts user for credentials, then re-sends the request with an Authorization: header containing a response to the challenge

The exact format of the challenge and response differs depending on which authentication scheme is in use; RFC2617 (which gpcz linked to) covers "basic" (most common, sends base64-encoded "username:password") and "digest" (contains a cryptographic hash), and NTLM is another that's seen in some Windows environments.

like image 71
SimonJ Avatar answered Oct 12 '22 13:10

SimonJ
Sign in to Comment

Related questions

Why use quality values in the HTTP Accept-Language header?
Modifying HTTP response headers in Firefox
Rails 5: How Can a Form Submit with Custom HTTP Headers?
Access HTTP response headers in for flash.net.URLLoader object?
Rate limit in nginx based on http header
What are the options for the gzip_proxied directive for?
Anonymous caller does not have storage.objects.get
Which Java libraries do HTTP Accept Header Parsing? [closed]
How to set a header in an HTTP response?
What headers do I want to send together with a 304 response?
REST - Modify Part of Resource - PUT or POST
Get the content (text) of an URL after Javascript has run with PHP
How do I configure `Access-Control-Allow-Origin` with rails, nginx and passenger?
Is using custom json content-types a good idea
How do we pass multiple headers in rest assured?
How can I tell when HTTP Headers have been sent in an ASP.NET application?
URLConnection setRequestProperty vs addRequestProperty
View and Set HTTP headers for Safari/Chrome
What is the q=0.01 $.getJSON adds to the request header?
How to escape a line break literal in the HTTP header?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!