[ back to toc ]


Date: 2002/06/18 13:22

what are the http client headers used in authorization or mod_auth in perl
apache. How are they used?
Basic authentication sends headers from the client to the server whenever
the server requests that. The first action is after you started your
browser and you go to a password protected page is that the client sends
the request to the server without password.

The server answers with the error code 401 and sends a header

www-authenticate: basic realm=XYZ

in the answer. The keyword 'basic' means that the server requests basic
authentication and the realm value identifies the service on the server.
Different services on the same server may require different usernames and
passwords. the keyword XYZ anfter the realm= identifies the service. This
string is also printed on the pop-up window in the browser and whenever
the same server sends the same realm the client will automatically resend
the same password.

By now, when the server sends this answer the first time the client opens
the pop-up window and after getting the username and password from the
user resends the request adding the header field:

Authorization: Basic BASE64ENCODEDUNANDPW

where BASE64ENCODEDUNANDPW is actuall the string 'username:password' bas64
encoded. Practically this is plain text.

I hope this was the answer for your question. mod_auth actually does this.

You can visit


to see a clean Perl implementation of a web client and that may help you
understand how it works even more.


how can my client browser send the information authorization: Basic
Base64encodedusername:password. Or how can I send this information to
client's browser so to prevent the authentication window to appear and let
my client access the protected folder. In short after login using my login
page i can let my clients access the protected folder without the
authentication window poping up!!!

thnx again!!!

There is only one way:

insert the username and password into the URL like:


The bad side is that this password will appear in the URL.

The basic authentication password pop-up appears only once.


[ back to toc ]