URL-embedded credentials

google-chrome http url web basic-authentication
10,911

Solution 1

But it is also possible to embed the credentials in the URL

Only if the browser is buggy in its support of HTTP, often deliberately so to be backwards compatible with browsers where people mistakenly thought this was a good idea.

It's never been allowed by the HTTP scheme, though the URI syntax more generally does allow user information there.

Is it something that is interpreted by the browser and converted into a Authorization header.

Yes. If the server at sent a 401 the browser would reply using that username and password. There has been at least one that used to pre-emptively attempt Basic which was obviously a bad idea on top of the existing bad idea.

Solution 2

The user experience if you type a url with credentials varies by browser and browser settings.

Say you request http://user:[email protected]/index.html.

The browser requests http://example.com/index.html, ignoring the credentials for the first request. The server gives a 401 response stating that basic auth is required. Then depending on the browser and configuration you might experience

  • a non-populated username/password prompt for credentials, ignoring the user/pass
  • a prompt to the user asking whether to log on to example.com as user (Firefox)
  • automatically login with the credentials.

Then a second request will be made to http://example.com/index.html with the Authorization header.

Any other client that logs on automatically when given such a URL is using an Authorization header, there's no other way basic auth works.

Share:
10,911
sdabet
Author by

sdabet

Updated on June 04, 2022

Comments

  • sdabet
    sdabet almost 2 years

    Wikipedia says that HTTP Basic authentication relies on the Authorization header to provide credentials from the client to the server.

    But it is also possible to embed the credentials in the URL:

    http(s)://<user>:<password>@<host>/<path>

    Is it something that is interpreted by the browser and converted into a Authorization header or is it directly sent to the server?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Parameter separator in URLs, the case of misused question mark
Error while checking if URL is exists in Flutter
Flutter - Failed to launch browser. Make sure you are using an up-to-date Chrome or Edge
How do I display an image in a Flutter Web using Image.memory when I only have a Stream<List<int>>? data-type?
Flutter text does not appear completely
Add offline mode to a Flutter Web App - Service Workers/Pwas
Get URL of a http get request in flutter app
How to get URL of a file in an HTTP GET request?
Which HTTP status code to use to reject a PUT due to optimistic locking failure
What does WWW do?