Re: Web authentication

From: Alan Kennedy (alanmk_at_hotmail.com)
Date: 12/05/03 

Date: Fri, 05 Dec 2003 10:28:31 +0000

[John J. Lee]
> Doesn't/shouldn't http://user:passwd@example.com/blah.html work?
>
> I don't know where that syntax is specified (if anywhere)

RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax

Section: 3.2.2. Server-based Naming Authority

Quoting from that section

"""
   URL schemes that involve the direct use of an IP-based protocol to
a
   specified server on the Internet use a common syntax for the server
   component of the URI's scheme-specific data:

      <userinfo>@<host>:<port>

   where <userinfo> may consist of a user name and, optionally,
scheme-
   specific information about how to gain authorization to access the
   server. The parts "<userinfo>@" and ":<port>" may be omitted.

      server = [ [ userinfo "@" ] hostport ]

   The user information, if present, is followed by a commercial
at-sign
   "@".

      userinfo = *( unreserved | escaped |
                         ";" | ":" | "&" | "=" | "+" | "$" | "," )

   Some URL schemes use the format "user:password" in the userinfo
   field. This practice is NOT RECOMMENDED, because the passing of
   authentication information in clear text (such as URI) has proven
to
   be a security risk in almost every case where it has been used.
"""

regards, 

-- 
alan kennedy
------------------------------------------------------
check http headers here: http://xhaus.com/headers
email alan:              http://xhaus.com/contact/alan

Relevant Pages

  • Re: [Full-Disclosure] Phishing scam - Obfuscated url help please
    ... RFC2396 - Uniform Resource Identifiers (URI): Generic Syntax ... Server-based Naming Authority ... specified server on the Internet use a common syntax for the server ...
    (Full-Disclosure)
  • Re: Sharing/Forwarding website credentials programatically
    ... authentication over SSL against a standard Active Directory account. ... credentials to the application server, ... was essentialy how to encode those links so that the credentials were passed ... essentially in the request-headers or URI itself. ...
    (microsoft.public.inetserver.iis.security)
  • Re: URI without file extension (Was: how to make a link to an old page go to a new page without disp
    ... I'm not using a server; ... You should either find an existing utility, or program one, that changes all the relative URI to other local files, inside html files, and replace them with URI lacking the extension. ... Link it from his own web site, from a weblog, from a web BBS, from a Usenet newsgroup, from a paper book, from an online news site or from a physical newspaper, from an online or offline revue article. ... But that doesn't solve the problem of people who bookmarked your website, and won't come back before 3 years. ...
    (comp.infosystems.www.authoring.html)
  • Re: URI without file extension (Was: how to make a link to an old page go to a new page without disp
    ... I'm not using a server; ... You should either find an existing utility, or program one, that changes all the relative URI to other local files, inside html files, and replace them with URI lacking the extension. ... I understand that broken authoring tools have as much responsibility as authors in the infamous 404 reply. ...
    (comp.infosystems.www.authoring.html)
  • Re: URL encoding api in Java 1.4.2
    ... reserved characters in URI syntax, ... Append the resulting string to the submission URL, ... dubious about the interaction between x-www-form-urlencoding and URI ...   If the method is "get" and the action is an HTTP URI, ...
    (comp.lang.java.programmer)