Welcome!

You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Jeremy Geelan, Maureen O'Gara, Nancy Y. Nee, Tad Anderson

Related Topics: ColdFusion

ColdFusion: Article

Implementing HTTP Basic Authentication

Route around many of the common limitations of traditional forms-based authentication

How to Implement Basic Authentication with ColdFusion
The first time a Web browser requests a page that's protected by Basic authentication, the Web server needs a way to tell it that it should stop and ask the user for login information. It does this by sending a response to the initial request with the status code 401 ("Access Denied"). In this response, it also sends information about what types of authentication it's willing to accept (this is the "WWW-Authenticate" header). In this article, we're only discussing Basic Authentication, but other more complex (and more secure) methods exist such as Digest authentication and Microsoft's proprietary NTLM authentication. Along with the 401 response the server also sends a user-friendly (or at least user-readable) explanation of why access is being denied.

When the browser gets the 401 response, before showing the user the "Access Denied" message, it prompts for a user name and password. If the user provides credentials, the browser repeats the request and includes the user name and password in an "Authorization" request header. If the credentials are sufficient, the server then sends the requested page with a 200 ("OK") status code. If the credentials aren't acceptable to the server, it simply sends back the same 401 response, which makes the browser prompt the user again. If the user declines to provide credentials (by clicking a "Cancel" button on the password prompt, for example), or fails to provide acceptable credentials a certain number of times (usually three, although it's up to the Web browser to decide), the browser stops prompting the user and shows the user the "Access Denied" message provided by the server.

Listing 1 shows the code needed to implement Basic Authentication. This code should be included at the top of any page that needs to be protected by authentication (an Application.cfm file is a good place, for example).

The first lines use the built-in ColdFusion function GetHttpRequestData() to retrieve complete information on the request headers sent by the client and ensure that our session-level user variable is initialized. Then the code checks to see if the client has provided the "Authorization" header that contains the login and password. The "Authorization" header consists of two parts separated by a single space: first, the authentication scheme (in this case "Basic"); and second, the user name and password separated by a colon and Base64-encoded to protect them from character set issues during transmission. The user name and password are decoded using the ToBinary() and ToString() functions, and the application verifies that they're correct (obviously this part will vary from application to application). If the user hasn't been logged in either by providing incorrect credentials or by not providing any at all, the response code is set to 401 and the "WWW-Authenticate" response header is added. Finally, a user-friendly "Access Denied" message is added to the response and execution is stopped so the server sends only the "Access Denied" message back to the client.

Even if the user has cookies disabled, so the user's session doesn't persist from request to request, the user won't be prompted again for a login and password. However, in this case, you won't be able to store any other data in the session scope without resorting to passing session identifiers as URL parameters.

Since the browser is getting accurate response codes throughout the transaction, there's no need to write code to redirect the user after a successful login. This is an additional benefit of using Basic authentication and means that your application fully supports deep linking and bookmarking without any extra code.

The Authentication Realm
There's one additional piece of information that the server sends in the "WWW-Authenticate" header: the authentication realm. The realm is defined as a string that uniquely identifies the set of resources on the server that all use the same user account source. The browser assumes that if it has prompted the user for a login and password for a resource on a given server, it can reuse the same credentials for another resource in the same realm on the same server.

Although the specification for Basic authentication discourages the use of the realm for any purpose other than matching it for equality against other realm values, in practice the realm actually has another important function. When most browsers prompt the user for login credentials, they show the realm as a description of the application the user is logging in to. So it's a good idea to set the realm in your authentication code to a brief description of your application (this description would replace the string "MyApplication" in Listing 1).

Caching of Credentials: The End of Session Expiration
When a browser gets a 401 ("Access Denied") message in response to a request for a given resource, it checks to see if the realm specified in the "WWW-Authenticate" header matches any realms it has already authenticated against on the current server for the current browser session. If it finds credentials that have been accepted for that realm, it retries the request using those credentials (prompting the user for credentials only if the cached credentials are rejected by the server). The browser also assumes that resources in subdirectories below the resources for which it has already been prompted to authenticate will be part of the same realm and preemptively sends the cached credentials the first time it requests these resources. These two facts contribute to one of the biggest advantages of Basic authentication: the end of session expiration messages.

Examine Listing 1 again and consider what happens if the user has been previously authenticated but has been inactive enough that the session expired. On the next request, a new session is initiated by the ColdFusion server and SESSION.loggedInUserName is set to an empty string. If the browser has previously requested the page, it will have preemptively sent the login credentials; if not, it will check its cache and see that it already has credentials for the specified realm and it will repeat the request, providing the cached credentials. In either case, the user has been automatically logged back into the application without being prompted! This provides a much smoother and less confusing experience for the user.

Keep in mind that this may have some affect on your application architecture. If you're using the session scope only to cache information that's already stored in a database somewhere, your application can probably be converted to Basic authentication with no issues. However, if you store temporary data in the session scope (such as shopping cart information), you may have to consider a different approach since the user may have multiple ColdFusion sessions over the course of what they consider a single session of interacting with the Web application. Just remember that a user session might be initialized on any page of your application.

Limitations of Basic Authentication
Basic authentication isn't without its limitations. First and foremost, it's important to realize that the user name and password is transmitted from the browser to the Web server in unencrypted clear text. (The Base64 encoding isn't a security measure - it's designed to be easily reversible.) If you consider the data in your application to be sensitive, you should definitely use an additional security layer such as SSL to protect the transmission of the user name and password (as well as the data). That being said, this lack of encryption is a limitation that's common to both forms-based and Basic authentication.

The other significant limitation of Basic authentication, and the only major drawback to using it over forms-based authentication, is that it provides much less opportunity for context around the login and password. A forms-based solution can show information around the login box explaining the format of the login and, in the case of password errors, can provide detailed information about what went wrong. Additionally, the login prompt can be customized to match the look-and-feel of the rest of the application. When implementing HTTP Basic authentication, you should provide an entry page that isn't authenticated that provides this information so the user is prepared to enter the appropriate login and password information.

Conclusion
Basic authentication provides an alternative to traditional forms-based authentication methods. By sticking closely to the HTTP specification, this method leverages features built in to the Web browser to prevent confusing session expiration problems and the need to code around other limitations in non-standard forms-based authentication methods.

More Stories By Patrick Correia

Patrick Correia is a Web developer for Clough Harbour & Associates LLP, an east coast multi-disciplined engineering firm. A Certified Advanced ColdFusion MX Developer based in Albany, New York, he has spent the last five years developing ColdFusion-based business process improvement solutions for the firm's numerous municipal and private clients.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
MikeR 06/08/06 11:43:56 PM EDT

Interesting article but it failed to mention the huge flaw with basic auth.

Basic authentication can't be used for most real-world sites because:
(1) There is now way for the user to log out short of closing all browser windows.
and (2) There is no practical way for the site to logout or timeout a user.

@ThingsExpo Stories
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
The cloud promises new levels of agility and cost-savings for Big Data, data warehousing and analytics. But it’s challenging to understand all the options – from IaaS and PaaS to newer services like HaaS (Hadoop as a Service) and BDaaS (Big Data as a Service). In her session at @BigDataExpo at @ThingsExpo, Hannah Smalltree, a director at Cazena, provided an educational overview of emerging “as-a-service” options for Big Data in the cloud. This is critical background for IT and data professionals...
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
"IoT is going to be a huge industry with a lot of value for end users, for industries, for consumers, for manufacturers. How can we use cloud to effectively manage IoT applications," stated Ian Khan, Innovation & Marketing Manager at Solgeniakhela, in this SYS-CON.tv interview at @ThingsExpo, held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Onalytica. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
The Internet of Things (IoT) promises to simplify and streamline our lives by automating routine tasks that distract us from our goals. This promise is based on the ubiquitous deployment of smart, connected devices that link everything from industrial control systems to automobiles to refrigerators. Unfortunately, comparatively few of the devices currently deployed have been developed with an eye toward security, and as the DDoS attacks of late October 2016 have demonstrated, this oversight can ...
Extracting business value from Internet of Things (IoT) data doesn’t happen overnight. There are several requirements that must be satisfied, including IoT device enablement, data analysis, real-time detection of complex events and automated orchestration of actions. Unfortunately, too many companies fall short in achieving their business goals by implementing incomplete solutions or not focusing on tangible use cases. In his general session at @ThingsExpo, Dave McCarthy, Director of Products...
Machine Learning helps make complex systems more efficient. By applying advanced Machine Learning techniques such as Cognitive Fingerprinting, wind project operators can utilize these tools to learn from collected data, detect regular patterns, and optimize their own operations. In his session at 18th Cloud Expo, Stuart Gillen, Director of Business Development at SparkCognition, discussed how research has demonstrated the value of Machine Learning in delivering next generation analytics to impr...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Businesses and business units of all sizes can benefit from cloud computing, but many don't want the cost, performance and security concerns of public cloud nor the complexity of building their own private clouds. Today, some cloud vendors are using artificial intelligence (AI) to simplify cloud deployment and management. In his session at 20th Cloud Expo, Ajay Gulati, Co-founder and CEO of ZeroStack, will discuss how AI can simplify cloud operations. He will cover the following topics: why clou...
Internet of @ThingsExpo, taking place June 6-8, 2017 at the Javits Center in New York City, New York, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo New York Call for Papers is now open.
"ReadyTalk is an audio and web video conferencing provider. We've really come to embrace WebRTC as the platform for our future of technology," explained Dan Cunningham, CTO of ReadyTalk, in this SYS-CON.tv interview at WebRTC Summit at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Successful digital transformation requires new organizational competencies and capabilities. Research tells us that the biggest impediment to successful transformation is human; consequently, the biggest enabler is a properly skilled and empowered workforce. In the digital age, new individual and collective competencies are required. In his session at 19th Cloud Expo, Bob Newhouse, CEO and founder of Agilitiv, drew together recent research and lessons learned from emerging and established compa...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Everyone knows that truly innovative companies learn as they go along, pushing boundaries in response to market changes and demands. What's more of a mystery is how to balance innovation on a fresh platform built from scratch with the legacy tech stack, product suite and customers that continue to serve as the business' foundation. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, discussed why and how ReadyTalk diverted from healthy revenue and mor...
We are always online. We access our data, our finances, work, and various services on the Internet. But we live in a congested world of information in which the roads were built two decades ago. The quest for better, faster Internet routing has been around for a decade, but nobody solved this problem. We’ve seen band-aid approaches like CDNs that attack a niche's slice of static content part of the Internet, but that’s it. It does not address the dynamic services-based Internet of today. It does...