User Authentication In Web-Based Management Systems

Web applications authenticate users through a HTTP authorization protocol. With HTTP authorization, the browser sends each request with user and password information. When a web server identifies a request on a protected directory without proper authorization, it sends a HTTP authorization response to the browser. The web browser pops up a login window to get the user name and password on behalf of the web server.

There are two types of HTTP authorization: Basic Authentication and Digest Authentication. Basic Authentication transmits the username-password pair in an unencrypted form from browser to server. Digest Authentication sends the server a one-way hash of the username-password pair.

All web servers support HTTP-based authentication, although there are no standards to integrate with external authentication data, such as a device's own user-password data. The web application does not have controls on how the browser presents the login window.

A web application authenticates users through a HTML form. The web application controls the presentation of the form to get the user name and password, just like any HTML page.

Web applications usually store authorized indication as part of web session data. Some web applications make it a part of the process in establishing a web session. The form-based authorization does not require any special support from the web server. Web application checks if a session has been authorized; if not, it redirects the web request to the application's login page.

The form-based authentication could achieve a similar "digest" effect by using JavaScript to either encrypt the password or calculate digest of the password in the login page, so the login request does not transmit the password unprotected. Most commercial web sites use the form-based authentication since the web application could control the login presentation and integration with its own user database.