Clarification of Authorization header behaviour
Question
I am writing authentication mechanism for a practice website. I have managed to create a secure token, but I want it to be sent in every subsequent request after login so they can be authorized.
I'd ideally like to set it as an Authorization Header, but I do not think the header will be set if a user goes to URL through the browser bar.
How do I get the client to remember to send authorization header every time it visits my domain?
Also I would ideally not like to send the token as a cookie.
TL;DR: I have a few questions about Authorization Header behaviour:
Do I need to send Authorization Header in every request, or does the browser do it automatically?
If its not automatic, GET requests from user input in the browser bar will never be authenticated since there wont be any JavaScript to attach the Header, How would you solve this issue without using cookies?(page redirection?)
If I would need to send Authorization header in every request what would be the best solution?
PS
I am using javascript without any frameworks.
2 answers
solution1
0 2019-05-19 14:11:35
I will try to answer your questions.
On every request you need to send Authorization Header if you want to auth user. You can find more about Authorization Header at this link
I don't understand this question. If you enter, for example, www.facebook.com in browser bar, you will go on Facebook homepage. If user doesn't have token, show login page, or redirect to www.facebook.com/login. If user have token, go to homepage and in header send token. Facebook store token in cookie, you can store it in Locale storage, for example.
- What is the best way? On successful login, API gives me token which I save to local storage. Then on every request, I send token. If token is same in database, i got data. If token is not same as token in database, I redirect to login page.
I hope this answers your question.
solution2
0 2019-05-20 07:05:55
For Authorization header in Basic and Digest authentication, the answer to your questions are:
"How do I get the client to remember to send authorization header every time it visits my domain?"
The client would remember and send authorization header automatically, as long as it conforms to RFC2617 :
A client SHOULD assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are within the protection space specified by the Basic realm value of the current challenge. A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server. (2 Basic Authentication Scheme)
...
A client should remember the username, password, nonce, nonce count and opaque values associated with an authentication session to use to construct the Authorization header in future requests within that protection space. (3.3 Digest Operation)
"Do I need to send Authorization Header in every request, or does the browser do it automatically?"
The browser would do it automatically.
For Authorization header in Bearer authentication (OAuth 2.0), I searched but didn't find any similar description in RFC6750
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.