Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to enable HTTP basic authentication in Internet Explorer?

A URL such as http://username:[email protected]/ does not work in Internet Explorer, as explained in the Microsoft Knowledgebase article “Internet Explorer does not support user names and passwords in Web site addresses”. I can’t find a proper workaround for this. I want just a simple link in a HTML document which works.

The purpose of the exercise:

We have a website, with fairly secure cookie-based login. We have standard stats packages (Webalizer and AWStats) which use HTTP authentication. I want to give the administrator of the site a quick link to the stats. The link, which includes the password, will be available only to a logged in administrator. It’s no great security risk.

like image 937
TRiG Avatar asked Sep 01 '10 16:09

TRiG


People also ask

How can I pass the basic HTTP authentication?

We can do HTTP basic authentication URL with @ in password. We have to pass the credentials appended with the URL. The username and password must be added with the format − https://username:password@URL.

Why is basic authentication not recommended?

Basic authentication is simple and convenient, but it is not secure. It should only be used to prevent unintentional access from nonmalicious parties or used in combination with an encryption technology such as SSL.


2 Answers

Per the Knowledgebase article, this can be enabled by setting the DWORD for iexplore.exe to 0 in: [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE].

Doing so will enable you to browse to URLs using the syntax [user]:[password]@[url].

like image 166
kblmfld Avatar answered Sep 22 '22 10:09

kblmfld


The username:[email protected] construct was removed as a security feature. Storing passwords in plain text is a bad idea to start with, and this form of the url was a frequently used attack vector for phishing attacks. The article you link to lists some work-arounds... can you not just prompt the user to enter a password?

If you give a little more details about what you're doing, it's possible a better solution may be found.

like image 22
i_am_jorf Avatar answered Sep 18 '22 10:09

i_am_jorf