问题
What is the difference between the two headers below?
Which one is preferred?
X-Auth-Token : dadas123sad12Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
回答1:
Authorization is the primary header used by clients to authenticate against peers in HTTP as foreseen in RFC 7235. It is often linked to the Basic authentication scheme as per RFC 7617, but that is not a given.
The Basic scheme allows clients to provide a username-password-pair separated by a colon (:) coded in Base64. It cannot be stressed enough that this is a transport coding that provides no real security benefits. E.g. the example given by you can trivially be 'decrypted' into Aladdin:open sesame.
Through the IANA HTTP Authentication Scheme Registry (see also: RFC 7235, sec. 5.1) you will find the Bearer scheme (defined in RFC 6750), which is closely tied to OAuth 2.0. X-Auth-Token is pretty much providing a shortcut here as it (presumably) does not rely on either OAuth or the HTTP authentication framework.
Please note that with X-Auth-Token being an unregistered header, it is subject to no formal specification and its presence and content is always tied to a respective application. No general assumptions can be made on it.
回答2:
'Authorization: Basic ' means basic authentication, browser/client have to supply the username/password with each request.
In case of 'x-auth-token' user has to supply username/password for the first time and server returns a access-token in header field 'x-auth-token'. For further sessions this token is exchanged, not the username/password.
来源:https://stackoverflow.com/questions/39017297/what-is-difference-between-x-auth-token-vs-authorisation-headers-which-is-prefer