263

When a server allows access via Basic HTTP Authentication, what is the experience expected to be in a web browser?

Ignoring the web browser for a moment, here's how to create a Basic Auth request with curl:

curl -u myusername:mypassword http://somesite.example

But what about in a Web Browser? What I've seen on some websites, is I visit the URL, and then the server returns response code 401. The browser then displays a username/password prompt.

However, on somesite.example, I'm not getting an authorization prompt at all, just a page that says I'm not authorized. Did somesite not implement the Basic Auth workflow correctly, or is there something else I need to do?

Improve this question
5
  • Are you sure you use Basic Auth and not Digest? Commented Jan 11, 2010 at 19:36
  • not sure of the difference, unless you are asking if I base-64 encode. if i was doing that programatically it would, but curl does that for me. Commented Jan 11, 2010 at 19:39
  • You can find out what authentication is used from WWW-Authenticate response header (value: Digest or Basic). Commented Jan 13, 2010 at 9:42
  • 2
    I think this question needs to be rephrased. More than one respondent thinks it's a question about curl rather than the browser. Commented May 2, 2017 at 16:28
  • Do you mean "authentication" when you use term "authorization" ? Commented Jun 1, 2020 at 9:41

7 Answers 7

Reset to default
163

To help everyone avoid confusion, I will reformulate the question in two parts.

First: "how can make an authenticated HTTP request with a browser, using BASIC auth?".

In the browser you can do a HTTP basic auth first by waiting the prompt to come, or by editing the URL if you follow this format: http://myusername:[email protected]

NB: the curl command mentionned in the question is perfectly fine, if you have a command-line and curl installed. ;)

References:

Also according to the CURL manual page https://curl.haxx.se/docs/manual.html

HTTP Curl also supports user and password in HTTP URLs, thus you can pick a file like: curl http://name:[email protected]/full/path/to/file or specify user and password separately like in curl -u name:passwd http://machine.domain/full/path/to/file HTTP offers many different methods of authentication and curl supports several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which method to use, curl defaults to Basic. You can also ask curl to pick the most secure ones out of the ones that the server accepts for the given URL, by using --anyauth. NOTE! According to the URL specification, HTTP URLs can not contain a user and password, so that style will not work when using curl via a proxy, even though curl allows it at other times. When using a proxy, you _must_ use the -u style for user and password.

The second and real question is "However, on somesite.example, I'm not getting an authorization prompt at all, just a page that says I'm not authorized. Did somesite not implement the Basic Auth workflow correctly, or is there something else I need to do?"

The curl documentation says the -u option supports many method of authentication, Basic being the default.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The question is about curl, which is not a browser.
You may have not read the question entirely, as it says just under the curl command: "However, right now I don't have access to curl (long story), and I want to just do it from the web browser, if possible." ;)
I totally agree that curl works fine, I personnally use it on a regular basis, but the question is not about curl...
The asker wants to know why auth. isn't working in the browser. The question isn't about cURL.
68

Have you tried?

curl somesite.example --user username:password
Improve this answer

2 Comments

@daronwolff You only switched the arguments positions and replaced -u with --user (which is only the long term), but apart from that you wrote exactly what the OP already wrote in his question
The asker wants to know why auth. isn't working in the browser. The question isn't about cURL.
15

You might have old invalid username/password cached in your browser. Try clearing them and check again.

If you are using IE and somesite.example is in your Intranet security zone, IE may be sending your Windows credentials automatically.

Improve this answer

Comments

9

WWW-Authenticate header

You may also get this if the server is sending a 401 response code but not setting the WWW-Authenticate header correctly - I should know, I've just fixed that in out own code because VB apps weren't popping up the authentication prompt.

Improve this answer

Comments

7

If there are no credentials provided in the request headers, the following is the minimum response required for IE to prompt the user for credentials and resubmit the request.

Response.Clear(); Response.StatusCode = (Int32)HttpStatusCode.Unauthorized; Response.AddHeader("WWW-Authenticate", "Basic");
Improve this answer

Comments

5

You can use Postman a plugin for chrome. It gives the ability to choose the authentication type you need for each of the requests. In that menu you can configure user and password. Postman will automatically translate the config to a authentication header that will be sent with your request.

Improve this answer

Comments

0

Not 100% related to the OP but I couldn't find any answers to this, so my solution may help someone else.

In Firefox, on certain sites I wasn't getting the Basic Authentication popup, and I could see a 401 in the access logs. So basically the server thought I had a bad password and the browser was somehow caching this. I could figure out how to reset the password in Firefox, until I eventually realised that you can just do this to reset Firefox's cached password:

https://user/password@url-requiring-basic-authentication

Hopefully that will save someone else some pain if they find themselves in the same boat.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.