authorization – Are Basic and Digest Authentication Used in Modern Web Projects?

Question:

I don't know much about them, so my little-informed opinion is still on the position that they will almost never be useful, and if you need to create a light or medium-sized web project, then the authentication and authorization algorithm for users and admins will be entirely on the shoulders of the web developer, and most likely everyone does this?

Answer:

First, let's take a look at how the authentication mechanisms you listed work.

With HTTP Basic authentication, along with each HTTP request, along with the headers, a username / password bunch is transmitted, which allows the user to be unambiguously authenticated.

HTTP Digest authentication is similar to HTTP Basic, but instead of a username / password combination, a checksum is transmitted, calculated based on the request parameters (method, URI, sometimes the request body), username, password and, possibly, several additional parameters. (Often a nonce that is unique to each request is used to prevent a retry attack from being executed.)

When it comes to other types of authentication, the most common web applications are cookie -based authentication. The user sends the login / password to the server, the server checks this data and, if successful, gives the user a Set-Cookie header with the user session identifier. For all subsequent requests, the user transmits this identifier via Cookie, which is used for authentication.

The fundamental difference between the first two methods and the last one is that for the HTTP Basic and HTTP Digest mechanisms, the server does not need to store user session data (user session identifier). With this approach, each HTTP request contains all the information necessary to build a response and can be isolated from previous / subsequent requests.

The idea of ​​a server that does not store the state of user sessions is at the heart of the rather popular RESTful approach. This approach is often used to build a server-side API.

And yes, to say that HTTP Basic / Digest is not used in modern web projects is wrong. It all depends on the complexity, goals and objectives of the project.

Comment:

It is important to understand the difference between authentication and authorization .

Authentication is usually understood as the process of determining that a user is who he or she claims to be. Authorization is usually understood as checking the authority of a specific, already authenticated user to perform certain actions in the system.

Only the authentication methods have been listed above. Building the correct user authorization mechanism still rests on the shoulders of the developer.

Scroll to Top