Using Basic Auth Correctly

I am amazed that web developers often don’t know IIS configuration as well as they should given it is the platform all their code must run against.  The most pressing misconception concerns Basic Authentication.  When you configure a web site to support Basic Authentication (a modestly practice) it encodes the user credentials.  Get this straight though, encoding doesn’t mean encrypting.  It just puts it into a format for transmission.  That format is public and completely reversable which makes it as secure as clear text.

While I don’t want anyone to take this as a rant against Basic Authentication, it is a wake up call because the credentials are sent on each and every request of the site using this authentication mechanism.  This means that if you use Basic Authentication you need to use SSL on every page request.  This is the detail I see missed most often.  I have seen many sites that put SSL on the login page, but the credentials still get sent clear text for the entire server to client communication.

Bottom line is that if you choose the mass support of Basic Authentication, you have to accept the overhead of using SSL on every single request to the site.

2 thoughts on “Using Basic Auth Correctly”

Comments are closed.