Behind basic auth

Basic authentication is one of the simples methods of providing credentials to access resources. Today I’m going to take a look on it and provide you with an example of a web page utilizing this mechanism written with PHP and Apache.

How does basic authentication work?

On request to a protected resource, the server sends to the client following header:

WWW-Authenticate: Basic realm="Provide your credentials"

In response client needs to send following header:

Authentication: Basic <base64-encoded credentials>

One lesser known fact is that the credentials can be entered in URL:

In this case, although they are entered in the URL, browser still sends them as proper HTTP headers. This means that if TLS is used, this data is encrypted. Note: the protocol requires encoding and not encrypting the credentials. If you want to send them securely, you need to use HTTPS, otherwise in case of MITM attacks, it’s easy to retrieve them.

Basic auth example with Apache and PHP

Why those two? Because I’ve never used them and I was curious how it works. And from time to time I need a break from Python, so I’ve decided not to go with Flask or Django this time.

The project structure is following:

gonczor@gonczor:~$ cd /var/www/html
gonczor@gonczor:/var/www/html$ tree -a
├── index.html
├── index.php
└── protected
    ├── .htaccess
    └── main.php

1 directory, 4 files

The protected directory has .htaccess file defining access methods:

$ cat protected/.htaccess
AuthUserFile /home/gonczor/.htpasswd
AuthName "Please Enter Password"
AuthType Basic
Require valid-user

As you can see the realm will show Please Enter Password when user enters the site. Credentials are created with htpasswd -c /home/gonczor/.htpasswd gonczor command. It’s important to keep the .htpasswd file outside of the places where web server can access.

Since Apache by default does not allow .htaccess files, proper config file also needs to be modified. In my case it was /etc/apache2/sites-available/000-default.conf, where I needed to add following config allowing to override configuration within /var/www/html/ directory:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    Order allow,deny

Dive into the communication

Now, let’s see what happens when we try to access the resources. In order to look under the hood we’ll use curl. Lines with stars are curl’s logs, right arrows are communication to the server and left ones are communication from server.

$ curl -v http://gonczor:gonczor@\?q\=123
*   Trying
* Connected to ( port 80 (#0)
* Server auth using Basic with user 'gonczor'
> GET /protected/main.php?q=123 HTTP/1.1
> Host:
> Authorization: Basic Z29uY3pvcjpnb25jem9y
> User-Agent: curl/7.64.1
> Accept: */*
< HTTP/1.1 200 OK
< Date: Tue, 24 Dec 2019 21:09:44 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 62
< Content-Type: text/html; charset=UTF-8
* Connection #0 to host left intact
Welcome to the protected part of the site</br>You sent me: 123* Closing connection 0

As you can see the credentials were sent in the Authorization header. When we decode them we get the provided credentials:

$ echo -n "Z29uY3pvcjpnb25jem9y" | base64 -D

That’s actually good news, because headers are not visible when HTTPS is used and they are not logged by default by the server: - - [24/Dec/2019:22:08:03 +0100] "GET /protected/main.php HTTP/1.1" 401 679 "-" "curl/7.64.1" - gonczor [24/Dec/2019:22:08:17 +0100] "GET /protected/main.php HTTP/1.1" 200 207 "-" "curl/7.64.1"

As you might have noticed the ip addresses vary in the examples. That’s because I still haven’t figured out how to set static IPs on my router 😛 Traditional methods have not been useful 🙁


Since it’s Christmas time, I’d like to wish you all the best. Happy, calm time with your nearest and dearest, interesting security cases you will find before black hats do and fulfillment with whatever you do. And make it snow:

ruby -e 'C=`stty size`.scan(/\d+/)[1].to_i;S=["2743".to_i(16)].pack("U*");a={};puts "\033[2J";loop{a[rand(C)]=0;a.each{|x,o|;a[x]+=1;print "\033[#{o};#{x}H \033[#{a[x]};#{x}H#{S} \033[0;0H"};$stdout.flush;sleep 0.1}'


Wikipedia on basic authentication

Project on Gitlab

See also