'Basic auth' or HTTP authentication is an authentication method built into browsers. The browser presents a dialog where the user has to provide an ID and password before the page loads.
Basic auth uses the
Authorisation to authenticate. The provided ID and password are encoded with base64. The credentials are not encrypted unless the request is sent over HTTPS.
Basic auth is easy to set up. When a user tries to enter a protected page, the server should respond with a
WWW-Authenticate header and a
401 status. This header will prompt a dialog in the browser. The browser then sends another request with the credentials set in the
Basic auth is very limited. It's only possible to provide an ID and password.
The dialog is opened before the page loads, and there is no way to customise the dialog.
Each browser determines how long the user is logged in for, and it's not possible to log out users.
When to use it
It can be useful to use for internal applications such as a staging site.
When not to use it
HTTP authentication shouldn't be used to authenticate users in public-facing applications.
Because the page is not loaded before the user provides credentials, it will confuse users who might think they entered a broken link.