{"id":49865924,"url":"https://github.com/lukasniessen/http-authentication-explained","last_synced_at":"2026-05-15T03:00:11.020Z","repository":{"id":293506316,"uuid":"984268996","full_name":"LukasNiessen/http-authentication-explained","owner":"LukasNiessen","description":"HTTP Authentication explained: basic authentication, bearer authentication and cookie authentication","archived":false,"fork":false,"pushed_at":"2025-05-15T16:54:47.000Z","size":4,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-05-15T03:00:04.724Z","etag":null,"topics":["basic-authentication","bearer-authentication","bearer-tokens","cookie","cookie-authentication","cookies","http"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LukasNiessen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-15T16:51:58.000Z","updated_at":"2025-05-25T10:31:02.000Z","dependencies_parsed_at":"2025-05-15T17:59:37.874Z","dependency_job_id":null,"html_url":"https://github.com/LukasNiessen/http-authentication-explained","commit_stats":null,"previous_names":["lukasniessen/http-authentication-explained"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/LukasNiessen/http-authentication-explained","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LukasNiessen%2Fhttp-authentication-explained","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LukasNiessen%2Fhttp-authentication-explained/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LukasNiessen%2Fhttp-authentication-explained/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LukasNiessen%2Fhttp-authentication-explained/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LukasNiessen","download_url":"https://codeload.github.com/LukasNiessen/http-authentication-explained/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LukasNiessen%2Fhttp-authentication-explained/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33051875,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-13T13:14:54.681Z","status":"online","status_checked_at":"2026-05-15T02:00:06.351Z","response_time":103,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["basic-authentication","bearer-authentication","bearer-tokens","cookie","cookie-authentication","cookies","http"],"created_at":"2026-05-15T03:00:03.233Z","updated_at":"2026-05-15T03:00:11.007Z","avatar_url":"https://github.com/LukasNiessen.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# HTTP Authentication: Simplest Overview\n\nBasically there are 3 types: Basic Authentication, Bearer Authentication and Cookie Authentication. I will give a _super brief_ explanation of them which can serve as a quick-remembering-guide for example. Besides that, I mention some connected topics to keep in mind without going into more detail and I have a quick code snippet as well.\n\n## Basic Authentication\n\nThe simplest and oldest type - but it's insecure. So do not use it, just know about it.\n\nIt's been in HTTP since version 1 and simply includes the credentials in the request:\n\n```\nAuthorization: Basic \u003cbase64(username:password)\u003e\n```\n\nAs you see, we set the HTTP header _Authorization_ to the string `username:password`, encode it with base64 and prefix `Basic`. The server then decodes the value, that is, remove `Basic` and decode base64, and then checks if the credentials are correct. **That's all**.\n\nThis is obviously insecure, even with HTTPS. If an attacker manages to 'crack' just one request, you're done.\n\nStill, we need HTTPS when using Basic Authentication (eg. to protect against eaves dropping attacks). Small note: Basic Auth is also vulnerable to CSRF since the browser caches the credentials and sends them along subsequent requests automatically.\n\n## Bearer Authentication\n\nBearer authentication relies on security tokens, often called bearer tokens. The idea behind the naming: the one bearing this token is allowed access.\n\nAuthorization: Bearer \u003ctoken\u003e\n\nHere we set the HTTP header _Authorization_ to the token and prefix it with `Bearer`.\n\nThe token usually is either a JWT (JSON Web Token) or a session token. Both have advantages and disadvantages - I wrote a separate article about this.\n\nEither way, if an attacker 'cracks' a request, he just has the token. While that is bad, usually the token expires after a while, rendering is useless. And, normally, tokens can be revoked if we figure out there was an attack.\n\nWe need HTTPS with Bearer Authentication (eg. to protect against eaves dropping attacks).\n\n## Cookie Authentication\n\nWith cookie authentication we leverage cookies to authenticate the client. Upon successful login, the server responds with a Set-Cookie header containing a cookie name, value, and metadata like expiry time. For example:\n\n```\nSet-Cookie: JSESSIONID=abcde12345; Path=/\n```\n\nThen the client must include this cookie in subsequent requests via the _Cookie_ HTTP header:\n\n```\nCookie: JSESSIONID=abcde12345\n```\n\nThe cookie usually is a token, again, usually a JWT or a session token.\n\nWe need to use HTTPS here.\n\n## Which one to use?\n\nNot Basic Authentication! 😄 So the question is: Bearer Auth or Cookie Auth?\n\nThey both have advantages and disadvantages. This is a topic for a separate article but I will quickly mention that bearer auth must be protected against XSS (Cross Site Scripting) and Cookie Auth must be protected against CSRF (Cross Site Request Forgery). You usually want to set your sensitive cookies to be Http Only. But again, this is a topic for another article.\n\n## Example of Basic Auth in Java\n\n```Java\nimport java.net.HttpURLConnection;\nimport java.net.URL;\nimport java.nio.charset.StandardCharsets;\nimport java.util.Base64;\n\npublic class BasicAuthClient {\n    public static void main(String[] args) {\n        try {\n            String username = \"demo\";\n            String password = \"p@55w0rd\";\n            String credentials = username + \":\" + password;\n            String encodedCredentials = Base64.getEncoder()\n                .encodeToString(credentials.getBytes(StandardCharsets.UTF_8));\n\n            URL url = new URL(\"https://api.example.com/protected\");\n            HttpURLConnection conn = (HttpURLConnection) url.openConnection();\n            conn.setRequestMethod(\"GET\");\n            conn.setRequestProperty(\"Authorization\", \"Basic \" + encodedCredentials);\n\n            int responseCode = conn.getResponseCode();\n            System.out.println(\"Response Code: \" + responseCode);\n\n            if (responseCode == 200) {\n                System.out.println(\"Success! Access granted.\");\n            } else {\n                System.out.println(\"Failed. Check credentials or endpoint.\");\n            }\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}\n```\n\n## Example of Bearer Auth in Java\n\n```java\nimport java.net.HttpURLConnection;\nimport java.net.URL;\nimport java.nio.charset.StandardCharsets;\n\npublic class BearerAuthClient {\n    public static void main(String[] args) {\n        try {\n            String token = \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\"; // Replace with your token\n            URL url = new URL(\"https://api.example.com/protected-resource\");\n            HttpURLConnection conn = (HttpURLConnection) url.openConnection();\n            conn.setRequestMethod(\"GET\");\n            conn.setRequestProperty(\"Authorization\", \"Bearer \" + token);\n\n            int responseCode = conn.getResponseCode();\n            System.out.println(\"Response Code: \" + responseCode);\n\n            if (responseCode == 200) {\n                System.out.println(\"Access granted! Token worked.\");\n            } else {\n                System.out.println(\"Failed. Check token or endpoint.\");\n            }\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}\n```\n\n## Example of Cookie Auth in Java\n\n```java\nimport java.net.HttpURLConnection;\nimport java.net.URL;\nimport java.io.BufferedReader;\nimport java.io.InputStreamReader;\nimport java.io.OutputStream;\nimport java.nio.charset.StandardCharsets;\n\npublic class CookieAuthClient {\n    public static void main(String[] args) {\n        try {\n            // Step 1: Login to get session cookie\n            URL loginUrl = new URL(\"https://example.com/login\");\n            HttpURLConnection loginConn = (HttpURLConnection) loginUrl.openConnection();\n            loginConn.setRequestMethod(\"POST\");\n            loginConn.setDoOutput(true);\n            loginConn.setRequestProperty(\"Content-Type\", \"application/x-www-form-urlencoded\");\n\n            String postData = \"username=demo\u0026password=p@55w0rd\";\n            try (OutputStream os = loginConn.getOutputStream()) {\n                os.write(postData.getBytes(StandardCharsets.UTF_8));\n            }\n\n            String cookie = loginConn.getHeaderField(\"Set-Cookie\");\n            if (cookie == null) {\n                System.out.println(\"No cookie received. Login failed.\");\n                return;\n            }\n            System.out.println(\"Received cookie: \" + cookie);\n\n            // Step 2: Use cookie for protected request\n            URL protectedUrl = new URL(\"https://example.com/protected\");\n            HttpURLConnection protectedConn = (HttpURLConnection) protectedUrl.openConnection();\n            protectedConn.setRequestMethod(\"GET\");\n            protectedConn.setRequestProperty(\"Cookie\", cookie);\n\n            int responseCode = protectedConn.getResponseCode();\n            System.out.println(\"Response Code: \" + responseCode);\n\n            if (responseCode == 200) {\n                System.out.println(\"Success! Session cookie worked.\");\n            } else {\n                System.out.println(\"Failed. Check cookie or endpoint.\");\n            }\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}\n```\n\n# Feedback\n\nFeel free to contribute by submitting a PR or creating an issue.  \n**If this was helpful, you can show support by giving this repository a star! 🌟😊**\n\n# License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukasniessen%2Fhttp-authentication-explained","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flukasniessen%2Fhttp-authentication-explained","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukasniessen%2Fhttp-authentication-explained/lists"}