When looking at the differences between X-Auth-Token vs Authorization headers, which is preferred?
Solution 1:
Authorization
is the primary header used by clients to authenticate against peers in HTTP as foreseen in RFC 7235. It is often linked to the Basic
authentication scheme as per RFC 7617, but that is not a given.
The Basic
scheme allows clients to provide a username-password-pair separated by a colon (:
) coded in Base64. It cannot be stressed enough that this is a transport coding that provides no real security benefits. E.g. the example given by you can trivially be 'decrypted' into Aladdin:open sesame
.
Through the IANA HTTP Authentication Scheme Registry (see also: RFC 7235, sec. 5.1) you will find the Bearer
scheme (defined in RFC 6750), which is closely tied to OAuth 2.0. X-Auth-Token
is pretty much providing a shortcut here as it (presumably) does not rely on either OAuth or the HTTP authentication framework.
Please note that with X-Auth-Token
being an unregistered header, it is subject to no formal specification and its presence and content is always tied to a respective application. No general assumptions can be made on it.
Solution 2:
'Authorization: Basic ' means basic authentication, browser/client have to supply the username/password with each request.
In case of 'x-auth-token' user has to supply username/password for the first time and server returns a access-token in header field 'x-auth-token'. For further sessions this token is exchanged, not the username/password.