231

I believe this is not possible, but someone I know insisted that it works. I don't even know what parameters to try, and I haven't found this documented anywhere.

I tried http://myserver.com/~user=username&password=mypassword but it doesn't work.

Can you confirm that it's not in fact possible to pass the user/pass via HTTP parameters (GET or POST)?

ripper234
  • 5,710
  • 9
  • 40
  • 49

5 Answers5

310

It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:password@example.com/ -- this sends the credentials in the standard HTTP "Authorization" header.

It's possible that whoever you were speaking to was thinking of a custom module or code that looked at the query parameters and verified the credentials. This isn't standard HTTP auth, though, it's an application-specific thing.

womble
  • 95,029
  • 29
  • 173
  • 228
  • 1
    Thanks, this is just what I was looking for ... it's not critical that it's GET parameters, just that I can craft it into the URL. – ripper234 Mar 21 '12 at 12:48
  • Nice. Make sure to also encode your password in case it has special characters. Just open your browser's console `encode("my&password&")`. Returns you the encoded string to use after the `username` – Hendrik Jan 07 '14 at 23:30
  • 59
    FYI, the `http://username:password@example.com` format is no longer supported by either [IE](http://support.microsoft.com/kb/834489) or [Chrome](https://code.google.com/p/chromium/issues/detail?id=82250#c7), wouldn't be surprised if others followed suit if they haven't already. – T.J. Crowder Jun 20 '14 at 10:31
  • 13
    Actually works fine in Chrome. Only IE is being a spoiled brat. – Damien Overeem ツ Aug 18 '14 at 13:12
  • 1
    @DamienOvereem what version of chrome you on? i'm on mac os x 37 and it does not seem to work for me – Chris DaMour Aug 27 '14 at 16:23
  • 17
    I have since learned that Chrome had it disabled for a time, but re-enabled this feature later. I've also learned that Safari will throw phishing errors when running into these types of links.. Basically the time of url-based http authentication is over.. – Damien Overeem ツ Aug 28 '14 at 09:20
  • 1
    Basic http auth is a pain, but since it is easy to setup it is unlikely to ever be completely eliminated. Even http 2.0 includes rfc7235 with no mention of deprecation. – chicks Mar 02 '15 at 15:11
  • 1
    @womble but if password contains '@' then it doesn't work. it gives fatal error, can anyone tell me how we can give username & password at once. – Ashish Jain Mar 04 '15 at 07:48
  • @womble : Is it possible to get credentials in HTTPOST request? – Ankita Jan 05 '17 at 11:23
  • Note that not all clients (browsers, `curl`, etc) will convert those credentials into the standard HTTP "Authorization" header. I'm dealing with an issue where I must retrieve the credentials from the URL rather than the header: http://stackoverflow.com/questions/41728885 – Marco Roy Jan 26 '17 at 23:59
  • This does not work any more in most browsers: Subresource requests whose URLs contain embedded credentials (e.g. https://user:pass@host/`) are blocked ... is the message you will get when trying that – frandevel Apr 24 '18 at 14:37
  • 1
    Is the password transmitted over HTTP as plain text? – rraallvv Oct 05 '18 at 21:21
  • 1
    @AshishJain `@` in the password field can be escaped as `%40`. The literal `@` is the delimiter. – Rich Dec 13 '18 at 23:44
  • @rraallvv Yes, HTTP is a plaintext protocol. It was designed to be the same as FTP (and gopher, right?) – Rich Dec 13 '18 at 23:50
  • January 2019, this still works in Firefox. – Jérôme Jan 07 '19 at 08:26
  • 2
    It may still work but I wouldn't use it for anything other than testing: https://tools.ietf.org/html/rfc3986 - Use of the format "user:password" in the userinfo field is deprecated. – Alex Feb 28 '19 at 12:43
  • As of 2019-12-02 this works in Chrome for me but not in Safari. – Magnus Dec 02 '19 at 12:23
  • May 2020 - it doesn't work in FF, Safari or Chrome on MacOS – Nir Alfasi May 25 '20 at 12:11
  • In July 2020, on Arch Linux, that doesn't work in Chromium but works in Firefox. On Android, that works both in Firefox and Chrome. – ynn Jul 16 '20 at 08:12
24

http://username:password@example.com will works for FireFox, Chrome, Safari BUT not for IE.

Microsoft Knowledge Base

BinaryMisfit
  • 1,593
  • 2
  • 15
  • 30
Girish Kumar
  • 341
  • 2
  • 2
  • 4
    This capability was removed from Chrome 19+. See https://code.google.com/p/chromium/issues/detail?id=123150 – Moshe Katz Oct 31 '13 at 21:07
  • 6
    By my reading of that bug report, it got added back into Chrome 20. Certainly, I'd expect to see a lot of continued complaining about it if it hadn't been. – womble Jan 10 '14 at 10:08
  • I now requested it for Internet Explorer: http://connect.microsoft.com/IE/feedback/details/873575/ie10-ie-11-authentication-for-embeded-images-audio-and-video. Slightly different use-case, but addresses the same issue ;) – SimonSimCity May 16 '14 at 13:03
  • 2
    @Diago if password contains '@' then it doesn't work. it gives fatal error, can anyone tell me how we can give username & password at once – Ashish Jain Mar 04 '15 at 07:50
  • 1
    @AshishJain -- I would try escaping the `@` in the password as `%40`. (I don't know if that works, though, and it might depend on the server or browser/server combination.) – David Moles Apr 14 '15 at 00:00
  • Doesn't work in linux lynx either. – user38537 Jun 04 '16 at 07:48
  • // , Girish, I like the brevity. Would you mind explaining why this works? – Nathan Basanese May 11 '17 at 00:24
20

Passing Basic authentication parameters in URL not recommended

There is an Authorization header field for this purpose check it here: http header list

How to use it is written here: Basic access authentication

There you can also read that although it is still supported by some browsers the suggested solution of adding the Basic authorization credentials in the url is not recommended.

Read also chapter 4.1 in RFC 2617 - HTTP Authentication for more details on why NOT to use Basic Authentication.

Passing authentication parameters in query string

When using OAuth or other authentication services you can often also send your access token in a query string instead of in an authorization header, so something like:

GET https://www.example.com/api/v1/users/1?access_token=1234567890abcdefghijklmnopqrstuvwxyzABCD
Wilt
  • 683
  • 8
  • 13
  • And how does one go about encoding an Authorization header into a URL? – womble Jan 10 '14 at 10:09
  • 2
    Isn't that the form you stated was now deprecated? – womble Jan 14 '14 at 04:37
  • 3
    The question you answered with "There is an Authorization header field for this purpose" was asking how to put authentication parameters *into the URL*. If you can't encode HTTP header fields into a URL (which you can't), your answer is a non sequitur. – womble Jan 15 '14 at 22:17
  • Can you cite where in the URI standard says that passing basic authentication parameters in URI is deprecated? RFC 2396 only says that it is "NOT RECOMMENDED" because authentication details in plain text is, in many circumstances, not a good idea (of which I agree), while RFC 7235 mentions nothing. Nowhere in the specs I can search says that it's deprecated. – Lie Ryan Jul 01 '15 at 13:21
  • @LieRyan Apparently someone altered the page since it is not written there any more. I tried to do some googling but nothing showed up so I altered the title also to "not recommended". But if you read [chapter 4.1 in RFC 2617 - HTTP Authentication](https://www.ietf.org/rfc/rfc2617.txt) then I can imagine why it is not recommended. – Wilt Jul 01 '15 at 13:32
  • 2
    @Wilt: I have to apologise, you are indeed correct. Your hint that the spec was "altered" instigated me to investigate further (an RFC is never modified once it's published/numbered). I just found that RFC 2396 has actually been superseded by [RFC 3986](https://www.ietf.org/rfc/rfc3986.txt), which I wasn't able to find earlier. RFC 3986 does mention the deprecation of username:password syntax: `Use of the format "user:password" in the userinfo field is deprecated.` – Lie Ryan Jul 01 '15 at 14:19
  • A lot of time has passed, but it now seems that embedding _username:password@_ works fine in top-level url's (i.e. not for sub-resources) with current versions of Chrome and Firefox, but not Safari (at least on an iPhone). Looking at the original RFC 2671 (dated June 1999) chapter 4.1, the only real criticism is that the username and password are passed in clear text. But these days most connections use https, in which case the credentials are encrypted. And with free SSL certificates easily available through letsencrypt.org, there is no reason not to use https . So the criticism is nil. – sootsnoot Jan 19 '20 at 05:28
0

In your example, the URL http://myserver.com/ Would be:

http://username:password@example.com/myserver.com/

As of 12/19/2019 I have tested this and it works for Chrome Firefox Safari

But not for IE, which no longer support basic authentication. I implemented this using SSRS 2017, which hides the username and password. I would recommend you test this with an Incognito Browser. Test with and without the password in different Incognito browsers. The one without the password should ask you for the password.

Clark Vera
  • 11
  • 2
  • "IE, which no longer support basic authentication." - You mean the passing of user credentials in the _userinfo_ part of the URL. IE still supports "[HTTP] basic authentication". And your example URL should be: `http://username:password@myserver.com/`. – MrWhite Jan 31 '20 at 20:57
-1

It is (obviously) possible to send any string in the GET parameters, although not recommended to send login and password as can make it highly visible, especially if it's not in an AJAX request.

You will however, need to then code the server page to extract the login and password and then validate and use them in whatever way is required.

Steve Smith
  • 109
  • 2