This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Basic Authentication

Revision as of 15:24, 30 June 2010 by Craig Younkins (talk | contribs) (Created page. Basic auth stinks.)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Basic authentication is an authentication scheme specified in RFC 1945 and is supported by all popular browsers.

Basic authentication is not secure and should not be used in applications.

  • The username and password are concatenated and sent in an HTTP header on every subsequent request. Compared with session based authentication, this substantially increases the amount of time the credentials are on the wire in plaintext.
  • There is no way for the user to log out. Credentials remain stored in the browser until the browser is closed or the user clears their history.