optional http basic auth

1
votes

I would like to have a site where some content is public while some other is only visible for authenticated users. So authentication would be possible, but not required. I would like to know if this is possible.

Some background:

To tell the client authentication is available in the first place I need to send some headers. As I understand RFC 2617 the 'WWW-Authenticate' header field MUST always be part of a '401 (Unauthorized)' response.

Now some clients (e.g. wget) will stop trying when they get a 401 header (wget actually uses the term 'Authorization Required' rather than 'Unauthorized').

So is this a wget bug or is there no such thing as optional http basic auth?

1
httpauthenticationwget

1 Answers

5
votes

401 Unauthorized is specifically for when authorization is required but not provided (or not provided correctly.

In your scenario, you'd only send the WWW-Authenticate header for requests that require authentication - if the auth is cancelled or not satisfactory, you then return 401.

Users would not be prompted to auth until making a request that requires it. No requests have optional authentication - the request is either allowed to anonymous users or not.

It's worth noting that HTTP auth is a bad choice for website logins, for a few reasons:

  • there is no concept of logging out
  • authentication details are sent in plain text (unless over SSL)
  • the interface/UX cannot be amended
  • there is no such thing as a password reminder, self-registration, minimum password requirements etc

HTTP auth comes from an era when sites were static, so security was dealt with at a webserver level.