What is the HTTP_AUTHORIZATION environment variable?

http-headers webserver environment-variables
33,975

Solution 1

Just so we're on the same page, a typical POST request looks something like this:

POST /some/page HTTP/1.1                            <-- request line
Host: www.example.com                               <-------------------\
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers
Content-Length: 27                                  <-------------------/
... some other headers ...
                                                    <-- blank line
username=peter&password=123                         <-- POST data, if any

The environment variables beginning HTTP_ are a hangover from the days when CGI scripts were the main way to serve dynamic content, and they indicate to your server-side code that the client supplied a particular header as part of the request. From the CGI spec:

Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name.

The Authorization: header used in a number of HTTP authentication mechanisms; the usual flow is:

  1. browser attempts to request a page
  2. server responds with "401 Unauthorized" and a WWW-Authenticate: header containing a scheme and (sometimes) a challenge
  3. browser prompts user for credentials, then re-sends the request with an Authorization: header containing a response to the challenge

The exact format of the challenge and response differs depending on which authentication scheme is in use; RFC2617 (which gpcz linked to) covers "basic" (most common, sends base64-encoded "username:password") and "digest" (contains a cryptographic hash), and NTLM is another that's seen in some Windows environments.

Solution 2

A detailed description of the HTTP Authorization header can be found in RFC2617, located at http://www.ietf.org/rfc/rfc2617.txt , section 3.2.2.

Share:
33,975
nonopolarity
Author by

nonopolarity

I started with Apple Basic and 6502 machine code and Assembly, then went onto Fortran, Pascal, C, Lisp (Scheme), microcode, Perl, Java, JavaScript, Python, Ruby, PHP, and Objective-C. Originally, I was going to go with an Atari... but it was a big expense for my family... and after months of me nagging, my dad agreed to buy an Apple ][. At that time, the Pineapple was also available. The few months in childhood seem to last forever. A few months nowadays seem to pass like days. Those days, a computer had 16kb or 48kb of RAM. Today, the computer has 16GB. So it is in fact a million times. If you know what D5 AA 96 means, we belong to the same era.

Updated on July 09, 2022

Comments

  • nonopolarity
    nonopolarity almost 2 years

    HTTP_AUTHORIZATION seems to be a server side environment variable, but what values can it be? Are there examples? Is it set by some HTTP headers?

    Also, how does it look like on the browser side when it asks for username and password (is it an HTML form or is it a popup box that asks for username and password (which is modal and so if not clicking OK or Cancel, then the browser cannot be click on)).

    Usually, a user login form will POST to the server with POST variables such as

    username=peter&password=123

    so what is this HTTP_AUTHORIZATION about?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache Custom Header with an environment variable
How do I detect mobile clients on my web server?
How to figure out a reasonable content security policy source for nginx (virtual hosts)?
How to support HTTP headers NetworkImage in flutter web
Flutter multi environment
How to pass dart variable to index.html
Flutter - running command "flutter _____" instantly closes terminal
How to use .env in Flutter web?
"Invalid Argument(s): Cannot find executable for null" when emulated Android on VS Code - Mac OS X
Flutter: make build-time environment variables available to code