Fortinet 227 FortiWeb 5.0 Patch 6 Administration Guide
4. If the client authenticates successfully, the FortiWeb appliance forwards the original request
to the server.
If the client does not authenticate successfully, the FortiWeb appliance repeats its HTTP 401
Authorization Required response to the client, asking again for valid credentials.
5. Once the client has authenticated with the FortiWeb appliance, if FortiWeb applies no other
restrictions and the URL is found, it returns the web server’s reply to the client.
If the client’s browser is configured to do so, it can cache the realm along with the supplied
credentials, automatically re-supplying the user name and password for each request with a
matching realm. This provides convenience to the user; otherwise, the user would have to
re-enter a user name and password for every request.
See also
Configuring local end-user accounts
Configuring queries for remote end-user accounts
Applying user groups to an authorization realm
Grouping authorization rules
Single sign-on (SSO)
Configuring local end-user accounts
FortiWeb can use local end-user accounts to authenticate and authorize HTTP requests to
protected web sites. For details, see “Offloading HTTP authentication & authorization” on
page 225.
To configure a local user
1. Go to User > Local User > Local User.
To access this part of the web UI, your administrator's account access profile must have
Read and Write permission to items in the Auth Users category. For details, see
“Permissions” on page 47.
2. Click Create New.
Advise users to clear their cache and close their browser after an authenticated session.
HTTP itself is stateless, and there is no way to actively log out. HTTP authentication causes
cached credentials, which persist until the cache is cleared either manually, by the user, or
automatically, when closing the browser window or tab. Failure to clear the cache could allow
unauthorized persons with access to the user’s computer to access the web site using their
credentials.
Clear text HTTP authentication is not secure. All user names and data (and, depending on
the authentication style, passwords) are sent in clear text. If you require encryption and other
security features in addition to authorization, use HTTP authentication with SSL/TLS (i.e.
HTTPS) and disable HTTP. See HTTP Service and HTTPS Service.