URL-embedded credentials

Question

Wikipedia says that HTTP Basic authentication relies on the Authorization header to provide credentials from the client to the server.

But it is also possible to embed the credentials in the URL:

http(s)://<user>:<password>@<host>/<path>

Is it something that is interpreted by the browser and converted into a Authorization header or is it directly sent to the server?

Answer 1

But it is also possible to embed the credentials in the URL

Only if the browser is buggy in its support of HTTP, often deliberately so to be backwards compatible with browsers where people mistakenly thought this was a good idea.

It's never been allowed by the HTTP scheme, though the URI syntax more generally does allow user information there.

Is it something that is interpreted by the browser and converted into a Authorization header.

Yes. If the server at sent a 401 the browser would reply using that username and password. There has been at least one that used to pre-emptively attempt Basic which was obviously a bad idea on top of the existing bad idea.

Answer 2

The user experience if you type a url with credentials varies by browser and browser settings.

Say you request http://user:[email protected]/index.html.

The browser requests http://example.com/index.html, ignoring the credentials for the first request. The server gives a 401 response stating that basic auth is required. Then depending on the browser and configuration you might experience

• a non-populated username/password prompt for credentials, ignoring the user/pass
• a prompt to the user asking whether to log on to example.com as user (Firefox)
• automatically login with the credentials.

Then a second request will be made to http://example.com/index.html with the Authorization header.

Any other client that logs on automatically when given such a URL is using an Authorization header, there's no other way basic auth works.