What is the "realm" in basic authentication
Asked Answered
S

3

401

I'm setting up basic authentication on a php site and found this page on the php manual showing the set up. What does "realm" mean here in the header?

header('WWW-Authenticate: Basic realm="My Realm"');

Is it the page page being requested?

Sculpin answered 3/10, 2012 at 2:17 Comment(1)
I was bored by the fact that wikipedia page didn't mention about realm meaning and I was required to ask for that on SO. But then, luckily, your question appeared.Blader
K
350

From RFC 1945 (HTTP/1.0) and RFC 2617 (HTTP Authentication referenced by HTTP/1.1)

The realm attribute (case-insensitive) is required for all authentication schemes which issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme.

In short, pages in the same realm should share credentials. If your credentials work for a page with the realm "My Realm", it should be assumed that the same username and password combination should work for another page with the same realm.

Knurl answered 3/10, 2012 at 2:21 Comment(3)
Some servers don't provide a realm in their authentication challenges.Skein
When I work with IIS, I configure differnt realms for different virtual folders (under the same site). But I am not sure if this is correct. But it seems work for me. When I visit a virtual folder for a different realm, I did get prompt for credential.Reorder
Note: RFC 2617 has been updated (NOT obsoleted) by RFC 7235Torbart
S
135

A realm can be seen as an area (not a particular page, it could be a group of pages) for which the credentials are used; this is also the string that will be shown when the browser pops up the login window, e.g.

Please enter your username and password for <realm name>:

When the realm changes, the browser may show another popup window if it doesn't have credentials for that particular realm.

Sundown answered 3/10, 2012 at 2:25 Comment(4)
How to group pages under realm?Leviticus
@Leviticus The .htaccess goes by hierarchy, so anything that's under a certain directory can be given the same realm.Prier
@Jack, I naively thought that all the pages with an authentication header with a given realm are in that realm and there are no other rules. Am I wrong?Cutout
Both Chrome and Firefox doesn't show the realm to a user anymore. I guess it's probably to avoid phishing attack when a hacker from evil.com makes a realm "Type your example.com password" and a user may not check a real domain and type it's password. That's sad because it made the basic auth even less user friendlyPolson
D
27

According to the RFC 7235, the realm parameter is reserved for defining protection spaces (set of pages or resources where credentials are required) and it's used by the authentication schemes to indicate a scope of protection.

For more details, see the quote below (the highlights are not present in the RFC):

2.2. Protection Space (Realm)

The "realm" authentication parameter is reserved for use by authentication schemes that wish to indicate a scope of protection.

A protection space is defined by the canonical root URI (the scheme and authority components of the effective request URI) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, that can have additional semantics specific to the authentication scheme. Note that a response can have multiple challenges with the same auth-scheme but with different realms. [...]


Note 1: The framework for HTTP authentication is currently defined by the RFC 7235, which updates the RFC 2617 and makes the RFC 2616 obsolete.

Note 2: The realm parameter is no longer always required on challenges.

Discommon answered 11/2, 2016 at 12:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.