Web Site Authentication vs. Authorization

Many people confuse authentication and authorization, and some even think they are the same thing, which they aren’t. To understand the differences consider the following example. When you want to visit a foreign country what do you need? A passport and a visa.

The passport is a document that authenticates you to the foreign country. It tells them that you are really who you claim to be. So, when you present your passport, you are authenticating yourself to the foreign officials.

Next, you must show proof that you are allowed (that is, authorized) to enter the foreign country. This is the visa document. Now, in computer terms, the authentication typically involves submitting a username and password. A successful submission and acceptance of a username and password states that you are who you claim to be.

In other words, you have authenticated yourself. A given resource that you are trying to access may require authorization in addition to authentication. For example, if you are accessing a computer at 4 a.m., the computer might refuse to let you in at that time because the system administrator has decided that you are not authorized to access it at 4 a.m.

Similarly, you might be authorized to view a restricted Web site from the office but not from home because the company policy dictates to the network administrator that all restricted access be performed on premises. Basic HTTP authentication is really quite simple. A challenge and response mechanism is used to authenticate users.

The steps are discussed below:

  1. Authentication begins when a Web browser requests a URL that is protected by the HTTP authentication scheme.
  2. The Web server then returns a 401 status header along with a WWWAuthenticate response header, which implies that authentication is required to access the URL. The header contains the authentication scheme being used (currently only basic HTTP authentication is supported) and the realm name.
  3. At this point, a Web browser dialog box appears, asking the user to enter a username and a password.
  4. The user enters the required username and password and clicks OK. The browser then sends the username and password along with the previous URL request to the server. The server checks whether the username and password are valid.
  5. If the username and password are valid (that is, authentic), the server returns the requested page. If the username and password are invalid, the server responds with a 401 status and sends the same WWWAuthenticate response header to the browser.
  6. In each subsequent request during the browser session to the same server, the browser will send the username and password pair so that the server does not have to generate a 401 status header for calls that fall in the same area of the site.