ChatGPT解决这个技术问题 Extra ChatGPT

What is the "realm" in basic authentication

I'm setting up basic authentication on a php site and found this page on the php manual showing the set up. What does "realm" mean here in the header?

header('WWW-Authenticate: Basic realm="My Realm"');

Is it the page page being requested?


D
Dennis Meissel

From RFC 1945 (HTTP/1.0) and RFC 2617 (HTTP Authentication referenced by HTTP/1.1)

The realm attribute (case-insensitive) is required for all authentication schemes which issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme.

In short, pages in the same realm should share credentials. If your credentials work for a page with the realm "My Realm", it should be assumed that the same username and password combination should work for another page with the same realm.


Some servers don't provide a realm in their authentication challenges.
When I work with IIS, I configure differnt realms for different virtual folders (under the same site). But I am not sure if this is correct. But it seems work for me. When I visit a virtual folder for a different realm, I did get prompt for credential.
Note: RFC 2617 has been updated (NOT obsoleted) by RFC 7235
J
Ja͢ck

A realm can be seen as an area (not a particular page, it could be a group of pages) for which the credentials are used; this is also the string that will be shown when the browser pops up the login window, e.g.

Please enter your username and password for :

When the realm changes, the browser may show another popup window if it doesn't have credentials for that particular realm.


How to group pages under realm?
@Green The .htaccess goes by hierarchy, so anything that's under a certain directory can be given the same realm.
@Jack, I naively thought that all the pages with an authentication header with a given realm are in that realm and there are no other rules. Am I wrong?
D
Dennis Meissel

According to the RFC 7235, the realm parameter is reserved for defining protection spaces (set of pages or resources where credentials are required) and it's used by the authentication schemes to indicate a scope of protection.

For more details, see the quote below (the highlights are not present in the RFC):

2.2. Protection Space (Realm) The "realm" authentication parameter is reserved for use by authentication schemes that wish to indicate a scope of protection. A protection space is defined by the canonical root URI (the scheme and authority components of the effective request URI) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, that can have additional semantics specific to the authentication scheme. Note that a response can have multiple challenges with the same auth-scheme but with different realms. [...]

Note 1: The framework for HTTP authentication is currently defined by the RFC 7235, which updates the RFC 2617 and makes the RFC 2616 obsolete.

Note 2: The realm parameter is no longer always required on challenges.