Skip to content

Testing HTTP Basic Authentication

Mari Vihuri Jan 13, 2021 Tutorial

A few weeks ago, a customer reported an issue with HTTP Basic Authentication when using our WonderSwitcher browser extension.

Sites that use Basic Auth normally show a browser prompt asking for a username and password. When connected to a proxy in the Switcher (in v4.6.4), the prompt never showed and the site returned a 401 Unauthorized error instead. Oops!

Fixing the Switcher bug

The problem was that the Switcher was trying to handle any and all browser requests for authentication. The Switcher uses Proxy-Authenticate to connect you to proxy servers, but WWW-Authenticate is how HTTP Basic Auth gets started, and the Switcher isn't designed to handle that. We modified the Switcher to ignore WWW-Authenticate, so now those Basic Auth requests bypass the Switcher completely (thanks Tom!).

Testing Basic Auth with httpbin

Once we had a fix in place, we needed a good way to test it. If you haven't used httpbin before, it's a simple web-based HTTP client. It provides a number of useful endpoints that make it a super handy tool for testing.

The endpoint for Basic Auth is /basic-auth/{user}/{passwd}. For example, if you go to http://httpbin.org/basic-auth/foo/bar you'll see a prompt and you can authenticate using the username foo and the password bar.

Browser prompt asking for a username and password
Testing HTTP Basic Auth with httpbin

Once you authenticate successfully, you'll see some JSON that says "authenticated": true and shows the username you used.

httpbin authenticated page displaying some JSON
Successful authentication using HTTP Basic Auth

Clearing Basic Auth credentials

Testing Basic Auth prompts can get a bit annoying. Browsers automatically remember your credentials and reuse them, which means the prompt will stop appearing once you've authenticated successfully (until the next time you close your browser). Basic Auth credentials aren't stored with other passwords in most browsers, so it's not immediately obvious where to find them or how to reset them.

If you're using httpbin, you can sidestep this problem by inventing new URLs for each test. But what if you want to confirm a specific page is working correctly? Quitting and reopening your browser between each test is a headache.

Luckily, there's a way to make browsers forget any HTTP Basic Auth credentials they've previously remembered.

Clear Basic Auth credentials in Chrome & Edge

(working as of Chrome 87.0 & Edge 87.0)

  1. Open Clear Browsing Data (Ctrl+Shift+Del  or Cmd+Shift+Del)
  2. Select Cookies and other site data
  3. Select Cached images and files
  4. Select a suitable time range (e.g. Last hour)
  5. Click Clear data
Chrome's Clear Browsing Data modal
Clearing stored HTTP Basic Auth credentials in Chrome & Edge

Clear Basic Auth credentials in Firefox

(working as of Firefox 84.0.2 — shout out to the folks on Super User for these instructions)

  1. Open Clear Recent History (Ctrl+Shift+Del  or Cmd+Shift+Del)
  2. Select Active Logins
  3. Select Cache
  4. Select a suitable time range (e.g. Last Hour)
  5. Click OK
Firefox's Clear Recent History modal
Clearing stored HTTP Basic Auth credentials in Firefox

Clear Basic Auth credentials in Safari

(working as of Safari 14.0)

  1. Go to SafariPreferences
  2. Click on the Privacy tab
  3. Click Manage Website Data
  4. Search for the domain you're testing (e.g. httpbin.org)
  5. Click Remove
Safari's Manage Website Data modal
Clearing stored HTTP Basic Auth credentials in Safari

Voilà! When you visit your test page, you'll see the credential prompt again.

We hope you'll find these steps helpful! We're happy to say we've shipped our bug fix too, so you won't see this bug anymore in v4.6.5 of the Switcher.

Mari Vihuri

Mari is a QA engineer at WonderProxy. You can find her watching hockey, playing board games, and teaching her cat new tricks.