SyntaxFix

[http] What is the "realm" in basic authentication

I'm setting up basic authentication on a php site and found this page on the php manual showing the set up. What does "realm" mean here in the header? 

header('WWW-Authenticate: Basic realm="My Realm"');

Is it the page page being requested?

This question is related to http basic-authentication digest-authentication

The answer is

From RFC 1945 (HTTP/1.0) and RFC 2617 (HTTP Authentication referenced by HTTP/1.1)

The realm attribute (case-insensitive) is required for all authentication schemes which issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme.

In short, pages in the same realm should share credentials. If your credentials work for a page with the realm "My Realm", it should be assumed that the same username and password combination should work for another page with the same realm.

A realm can be seen as an area (not a particular page, it could be a group of pages) for which the credentials are used; this is also the string that will be shown when the browser pops up the login window, e.g.

Please enter your username and password for <realm name>:

When the realm changes, the browser may show another popup window if it doesn't have credentials for that particular realm.

According to the RFC 7235, the realm parameter is reserved for defining protection spaces (set of pages or resources where credentials are required) and it's used by the authentication schemes to indicate a scope of protection.

For more details, see the quote below (the highlights are not present in the RFC):

2.2. Protection Space (Realm)

The "realm" authentication parameter is reserved for use by authentication schemes that wish to indicate a scope of protection.

A protection space is defined by the canonical root URI (the scheme and authority components of the effective request URI) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, that can have additional semantics specific to the authentication scheme. Note that a response can have multiple challenges with the same auth-scheme but with different realms. [...]

Note 1: The framework for HTTP authentication is currently defined by the RFC 7235, which updates the RFC 2617 and makes the RFC 2616 obsolete.

Note 2: The realm parameter is no longer always required on challenges.

Source: Stackoverflow.com

Examples related to http

Access blocked by CORS policy: Response to preflight request doesn't pass access control check Axios Delete request with body and headers? Read response headers from API response - Angular 5 + TypeScript Android 8: Cleartext HTTP traffic not permitted Angular 4 HttpClient Query Parameters Load json from local file with http.get() in angular 2 Angular 2: How to access an HTTP response body? What is HTTP "Host" header? Golang read request body Angular 2 - Checking for server errors from subscribe

Examples related to basic-authentication

Use Invoke-WebRequest with a username and password for basic authentication on the GitHub API How to define the basic HTTP authentication using cURL correctly? Spring Security exclude url patterns in security annotation configurartion Basic HTTP and Bearer Token Authentication HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers Calling a rest api with username and password - how to What is the "realm" in basic authentication How to prevent browser to invoke basic auth popup and handle 401 error using Jquery? Proxy Basic Authentication in C#: HTTP 407 error What is the difference between Digest and Basic Authentication?

Examples related to digest-authentication

What is the "realm" in basic authentication What is the difference between Digest and Basic Authentication?

Tags

Cgimagemaskcreate Xmlstreamreader End-of-life Svn-update Sed Vertex-buffer Plaintext Cvs Servicecontroller Icalendar Stringbuffer Absolute-path Django-cache Quartz-composer Flashbuilder4 Janrain 2d Cas Gateway Andengine Wcag Powergui Web-application-project Perfmon Shelving Matlab Sigbus Program-files Log4php Roxygen Tcldevkit Cortex-m3 Zend-log Amfphp Selectedvalue Armv7 Edmx Delphi-2006 Embedded-container Scrollpane Binsor Qt4 Userscripts Login-script Configuration-management Struts-config Enyim Openpop Ibatis.net Imagemagick Git-log Nfc Custom-type Healthvault Idispatch Inline-if Isoneway Commonj Prado Pmd Grep Opencl.net Mongrel-cluster Mud Node-xmpp Scrolledwindow Initializer-list Mss Sunone Cabal-install Simplyvbunit Gpx 3gp Simplex Qmap Jbuilder Line-count Instanceof Dct Stock Keywordquery Xmppframework Contact Powerset System-calls Asp.net-2.0 Ebcdic Jgss Passive-mode Timsort Named-scope Disconnection Designer Template-matching Parameter-spoofing Apdu Bmp Adoconnection Wireframe Writexml