Why should I use HTTP basic authentication instead of username and password post parameters?

13
votes

I have an API endpoint https://www.example.com/api/authentication which takes username and password as input and returns an authentication token.

In terms of passing username and password, I have two options (at least), namely:

  1. HTTP Basic Authentication (which passes credentials as part of HTTP headers)
  2. HTTP POST parameters

I understand that neither method provides encryption (hence the use of HTTPS/SSL). I also understand why using HTTP GET is is a Bad Idea.

Is there any real difference (aside from the fact that basic authentication feels more idiomatic) between the two methods?

2
basic-authentication
I don't think there is any (real) difference either, good question thoughinspite

2 Answers

10
votes

The difference is that basic authentication is a well specified challenge/response scheme that all browsers understand and it is the server that starts it by telling a client that it requires (basic) authentication for a realm. This triggers the browser to show a popup to the user to enter a name/password which it then passes in the headers as you described.

In your second example you have to do all that in your own customized way and create your own login form for the user (etc).

If you deduct this process to the single step of passing the username/password from the client to the server I have to agree that there isn't that much difference but basic authentication implies a bit more than just that.

2
votes

HTTP Basic authentication implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.