%META:TOPICINFO{author="PeterThoeny" date="1128660776" format="1.0" version="1.2"}%
%TOC%

---# Basic Authentication

_This page explains what Basic Authentication is._

Basic Authentication is _not_ a TWiki service, it is a service of your web server.  Configuration of Basic Authentication is necessarily a function of your web server, both Apache and IIS require the web server administrator to set parameters to initiate this service.  To implement Basic Authentication for your specific web server you will need to consult each server's documentation for the particulars.  In short, you will need to read another manual than the TWiki manuals to get Basic Authentication working.  This page will give you a broad explanation of the principles of Basic Authentication.  

---++ Basic Authentication and Security

Caution is in order before you charge off and set up Basic Authentication.  First, it is not really secure.  Unless you have SSL2 encryption enabled, or are connecting over a VPN, the traffic between the server and a client is plain text.  A packet sniffer can read the traffic and concievably read your userid and password as Basic Authentication starts up.  Hiding this traffic and the rest of a session is why encryption exists.  However, like a lock on your front door, the idea behind Basic Authentication is to deter the casual snoop.  

A second caution, if there is a bug in your configuration or in your server, Basic Authentication can fail in a hard-to-detect manner.  This obscurity is due to the authenticated session actually being layered over a connection-less protocol (HTTP).

---++ Client and Server Interaction

To avoid having the user resend his/her userid and password with every HTTP connection the client and server have resorted to a couple of common conventions.  These conventions are: 

	1 The client browser remembers the userid and password for a given domain name and "realm".  The browser then automatically sends the userid and password with _every_ HTTP transaction (command/response pair).  Security is not helped by this userid/password being resent in plaintext with every transaction.%BR% %BR%
	1 The server remembers the IP# of the incoming connection and associates it with the userid of that session.  Every subsequent connection then assumes the userid when a connection arrives from an IP# associated with a previously authenticated userid.  Apparently TWiki does not time out this information which it stores in the (twiki dir)/data/remoteusers.txt file.  See the TWiki documentation on [[TWikiUserAuthentication#Partial_Authentication][Partial Authentication]] for more on this.  

Debugging your Basic Authentication means scouring out all the authentication information on both your client and server.  Until you do so a Basic Authentication bug can be elusive.  Of course you need administrator access to the web server to configure, test, and often debug Basic Authentication.

---++ User Login and Logout

Many modern browsers allow one to "clear" passwords and other information from the browser data store.  However, once authenticated to a page many browsers, <nop>FireFox for one, will preserve that authentication till the program is terminated.  Certainly in <nop>FireFox, just closing the authenticated window will not when reopened trigger a Basic Authentication challenge; for the program and all associated windows and tabs must also be terminated to force re-authentication.  To avoid this necessity in <nop>FireFox or Mozilla use the [[http://texturizer.net/firefox/extensions/#clearhttpauth][Clear HTTP Auth]] or [[http://www.chrispederick.com/work/firefox/webdeveloper/][Web Developer]] extensions.  

When you set up Basic Authentication you will see that TWiki needs a means of user login and user logout.  This would allow you to easily shift between users to see what view, edit, etc. authorizations are working.  

Because Basic Authentication information is stored on the client the Apache documentation (link below), and other experts believe its not possible to have a user log out.  This is in fact not true for one, on "log out," can change the realm supplied to a given client IP# invalidating the client-side stored realm paired with userid/password.  The result would be a classic Basic Authentication challenge.

---++ Links to Server Documentation

In order to understand how to implement Basic Authentication on your server, you need to read beyond the TWiki documentation:

---+++ Apache

	* [[http://httpd.apache.org/docs/howto/auth.html#basic][Apache Authentication, Authorization, and Access Control]]
	* [[http://httpd.apache.org/docs/howto/htaccess.html][Apache Tutorial - .htaccess files]]

---+++ IIS (Internet Information Services)

	* [[http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiabasc.htm][About Authentication]] (includes Basic Authentication)
	* [[http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiauths.htm][Enabling and Configuring Authentication]]

-- TWiki:Main.RichardFreytag - 19 Dec 2004 %BR%
-- TWiki:Main.PeterThoeny - 23 Dec 2004

