我在一个php网站上设置基本的身份验证,并在php手册上找到了这个页面,显示设置。“realm”在header中是什么意思?

header('WWW-Authenticate: Basic realm="My Realm"');

是被请求的页面吗?


当前回答

领域可以被视为使用凭证的区域(不是特定的页面,可以是一组页面);这也是浏览器弹出登录窗口时将显示的字符串,例如。

请输入您的用户名和密码<域名>:

当领域发生变化时,如果浏览器没有特定领域的凭据,它可能会显示另一个弹出窗口。

其他回答

领域可以被视为使用凭证的区域(不是特定的页面,可以是一组页面);这也是浏览器弹出登录窗口时将显示的字符串,例如。

请输入您的用户名和密码<域名>:

当领域发生变化时,如果浏览器没有特定领域的凭据,它可能会显示另一个弹出窗口。

来自RFC 1945 (HTTP/1.0)和RFC 2617 (HTTP/ 1.1引用的HTTP身份验证)

The realm attribute (case-insensitive) is required for all authentication schemes which issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme.

简而言之,同一领域中的页面应该共享凭证。如果您的凭证适用于具有“My realm”领域的页面,那么应该假定相同的用户名和密码组合应该适用于具有相同领域的另一个页面。

根据RFC 7235, realm参数是为定义保护空间(需要凭据的页面或资源集)而保留的,身份验证方案使用它来指示保护范围。

要了解更多细节,请参阅下面的报价(RFC中没有重点内容):

2.2. Protection Space (Realm) The "realm" authentication parameter is reserved for use by authentication schemes that wish to indicate a scope of protection. A protection space is defined by the canonical root URI (the scheme and authority components of the effective request URI) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, that can have additional semantics specific to the authentication scheme. Note that a response can have multiple challenges with the same auth-scheme but with different realms. [...]


注1:HTTP认证框架目前由RFC 7235定义,它更新了RFC 2617并淘汰了RFC 2616。

注2:realm参数在挑战中不再总是必需的。