When the user agent wants to send the server authentication credentials it may use the Authorization field.
The Authorization field is constructed as follows:
- The username and password are combined with a single colon.
- The resulting string is encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line.
- The authorization method and a space i.e. "Basic " is then put before the encoded string.
For example, if the user agent uses Aladdin as the username and OpenSesame as the password then the field is formed as follows:
Aladdin:OpenSesame | base64
.. yields a string 'QWxhZGRpbjpPcGVuU2VzYW1l' that is used like so:
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
-----------------------------------------------------------------
Server side:
When the server wants the user agent to authenticate itself towards the server, it must respond appropriately to unauthenticated requests.
Unauthenticated requests should return a response whose header contains a HTTP 401 Unauthorized status and a WWW-Authenticate field.[5]
The WWW-Authenticate field for basic authentication (used most often) is constructed as following:
WWW-Authenticate: Basic realm="User Visible Realm"