![]() ![]() ![]() For a public-facing web site, you typically want to authenticate against an ASP.NET membership provider. That means the user must have an account on the server's domain. IIS supports Basic authentication, but there is a caveat: The user is authenticated against their Windows credentials. See Preventing Cross-Site Request Forgery (CSRF) Attacks. After the user enters credentials, the browser automatically sends them on subsequent requests to the same domain, for the duration of the session. ![]() See Working with SSL in Web API.īasic authentication is also vulnerable to CSRF attacks. For example, you might define several realms in order to partition resources.īecause the credentials are sent unencrypted, Basic authentication is only secure over HTTPS. The credentials are not encrypted.īasic authentication is performed within the context of a "realm." The server includes the name of the realm in the The exact scope of a realm is defined by the server. The credentials are formatted as the string "name:password", base64-encoded. The client sends another request, with the client credentials in the Authorization header.The response includes a WWW-Authenticate header, indicating the server supports Basic authentication. If a request requires authentication, the server returns 401 (Unauthorized).Vulnerable to cross-site request forgery (CSRF) requires anti-CSRF measures.No way to log out, except by ending the browser session.Credentials are sent with every request.User credentials are sent in the request.Basic authentication is defined in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |