4

I am automating a website which requires HTTP Basic Authentication.

The suggestions given in this link work like a charm in most cases:

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

However, some of the users have a Question Mark (?) in password. Please advise on how to escape the question mark.

P.S. I am aware that @ in the username can be escaped as %40.

MrWhite
  • 11,643
  • 4
  • 25
  • 40
  • Can you confirm the precise URL structure you are referring to? The _conventional_ way of passing user/pwd in the URL for HTTP Basic Auth does not use “URL parameters”. – MrWhite Jan 31 '20 at 22:49

1 Answers1

3

I assume you must be referring to the userinfo part of the URL in which the user credentials are passed, not "URL parameters" (which are part of the query-string):

https://<userinfo>@example.com/foo?<query-string>

As with any character that is not permitted in any one part of the URL (because it may have special meaning), it must be URL-encoded (percent-encoded) as % followed by the two digit hex code for that character.

So, @ is %40 and ? is %3F.

But those aren't the only two characters that may need URL encoding. You should be passing the value through a URL-encode function in your script to correctly URL encode that part of the URL.

RFC 3986 defines what characters are permitted (unencoded) in the userinfo part of the URL:

userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded = "%" HEXDIG HEXDIG
sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
              / "*" / "+" / "," / ";" / "="

So, everything else must be percent-encoded, including : and % - if they are part of the user or password parts (in order to negate there special meaning).

Also stated in the same document:

Use of the format "user:password" in the userinfo field is deprecated.

Consequently browser support has been patchy, coming and going over the versions (security a primary concern). I believe the latest versions of Chrome (tested v79) and Firefox do support user credentials in the URL. I've seen comments that this also works in the latest Safari(?), although this hasn't worked for a long time and it doesn't currently work for me (although I'm not running the latest on iOS 12.4.1). And IE dropped support for usernames and passwords in the URL some years ago and it doesn't look like it's coming back.

MrWhite
  • 11,643
  • 4
  • 25
  • 40