Results 1 to 4 of 4
  1. #1

    Confused: How does HTaccess do this?

    When a user successfully logs in an htaccess protected directory (i.e enters his username and password), how does the webserver knows who has already logged in?

    Why doesn't it continue requesting username and password from the logged in user? Does it use cookies to know who has already logged in?

  2. #2
    The first time a user requests a protected resource, the server will respond with status 401 (Unauthorized) and a WWW-Authentication header that tells the user agent what authentication scheme is in use. This will usually result in the browser displaying the login/password dialog. If the user provides a login and password, the browser will calculate a hash (at least for "basic" authentication, which is the common, standard one) and sends it in an Authorization header for future requests from the same server.

    So the webserver knows you have logged in because your browser caches the authentication information and sends it for every request. There are no cookies involved, although the mechanism is very similar.

  3. #3
    So is it all web browsers that understand WWW-Authentication
    and know how to add authentication information to every request?

    Also do WAP browsers and other browsers (text browsers) understand WWW-Authentication?

    Thanks in advance

  4. #4
    The WWW-Authentication header and the Basic authentication mechanism is described in the HTTP 1.0 RFC and is so simple to implement that pretty much any web browser or server will support it.

    I don't know enough about WAP browsers to tell you whether all of them support authentication, but I would expect that to be the case.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts