[thelist] link to a password protected directory

[Keith]

At 09:20 AM Thursday 7/11/2002, Bob wrote:
> > How can I pass my username and password within a link to access a password
>protected directory, so that the browser does not pop up a message box.
>
>Assuming an Apache server you can typically use this syntax:
>
>http://username:password@www.domain.com/protected/directory
>
>where username and password are the same as created using .htaccess.
>
>A security issue is that this URL remains in the browser's history/cache, so
>someone else on that computer could access the protected pages without
>having to know the login name and password.

Not always true Bob. For example, our server always returns www.domain.com
for a request made to domain.com.  A request of
username:password at domain.com therefore also returns only www.domain.com to
the location bar and to the browser's history. Actually I was setting up to
figure out the syntax for a Rewrite to accomplish stripping the
username:password when I discovered it. We have our server setup to rewrite
the www so any https requests will match the secure certificate. I'm sure
there's a Rewrite Rule for this kind of redirect, but I didn't get that far :-)

Gotta agree with Oren, putting the username:password in an HTML page's
source code on a link is pretty foolish. As Bob points out, you can easily
parse forms input with javascript to produce username:password at domain.com .
However, if you want to get past using javascript, things get weird. If you
submit the form collecting the username & password and attempt a header
Location: redirect with username:password at domain.com Explorer explodes. To
get Explorer's cooperation you can send the redirect as a metatag refresh
on an HTML page.



Keith
====================
cache at dowebscentral.com