HTTP Basic Authentication credentials passed in URL and encryption

https basic-authentication
rcourtna picture rcourtna · Apr 26, 2010 · Viewed 460.9k times · Source

I have a question about HTTPS and HTTP Authentication credentials.

Suppose I secure a URL with HTTP Authentication:

<Directory /var/www/webcallback>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/passwd/passwords
Require user gooduser
</Directory>

I then access that URL from a remote system via HTTPS, passing the credentials in the URL:

https://gooduser:[email protected]/webcallback?foo=bar

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs? I'm having a hard time locating a credible source with this information.

Answer

Quentin picture Quentin · Apr 26, 2010

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs

Yes, yes yes.

The entire communication (save for the DNS lookup if the IP for the hostname isn't already cached) is encrypted when SSL is in use.

Related questions

What is the difference between Digest and Basic Authentication?

What is the difference between Digest and Basic Authentication ?

Read More
How to do basic authentication over HTTPs in Ruby?

After looking a lot, I've found some solutions that seem working, but not for me... For example, I have this script: require 'net/http' require "net/https" @http=Net::HTTP.new('www.xxxxxxx.net', 443) @http.use_ssl = true @http.verify_…

Read More
HTTPS and BASIC authentication

When I use HTTP BASIC authentication along with HTTPS, are the username and password securely passed to the server? I would be happy if you can help me with some references. I mean, it would be great if I can …

Read More