Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Pass username and password in URL for HTTP Basic Auth

When passing username and password encoded in URL, eg: https://Aladdin:[email protected]/index.html

Is the client in fact sending this in Authorization header? What kind of processing is needed on server side for this kind of URL encoding?

like image 853
igobivo Avatar asked May 05 '17 06:05

igobivo


People also ask

How can I pass the basic HTTP authentication or token authentication?

Basic HTTP authentication You need to generate a Base64-encoded credential with the Customer ID and Customer Secret provided by Agora and pass the credential to the Authorization parameter in the request header.

How do I pass a username and password in REST API?

The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.

What is username and password in basic authentication?

Basic authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password .

How do I encode a URL password?

To solve general case of special characters: Just open chrome console with F12 then paste encodeURIComponent(str) where str is your password (or username) and then use the encoded result to form url with password.


1 Answers

Is the client in fact sending this in Authorization header?

It depends on what the client is. If the client is a browser, the answer is no. Here is the experiment result:

  • In Chrome, no authorization header is sent.
  • In Firefox, no authorization header is sent. Firefox will also prompt a confirm dialog, as proactively sending authenticate information is weird.
  • In Safari, no authorization header is sent. Safari will also display a warning page first, as it suspect the URL is belong to a fishing site.
  • In Opera, no authorization header is sent.
  • I'm on Mac and can't run experiment on IE/Edge. But according to other browser's behaviour which is reasonable, I guess IE/Edge would act the same. Anyway, I'd appreciate if someone takes an experiment and get the result.

Generally speaking, browser will ignore authenticate information proactively sent in URL, for security reason.

However, if the client is a development tool, the authenticate information may be encoded in base64 and sent as Authorization header. Here is some experiment result:

  • In curl, yes, the authorization header is sent.
  • In Postman, no authorization header is sent.

Whether the authorization header is sent depends on the tool's design.

What kind of processing is needed on server side for this kind of URL encoding?

In server side, all you need to do is get the base64 encoded string from Authorization header, decode it, and check whether it is valid.

Would it be any different if HTTP protocol is used in example URL?

For security, yes, Authorization header through HTTP is very insecure. Base64 encoding/decoding will not make any security benefit, it can be decoded by everyone.

Otherwise, they are the same.

like image 50
shaochuancs Avatar answered Sep 28 '22 05:09

shaochuancs