[thelist] username:password in URLs

David Siedband david at calteg.org
Wed Feb 4 17:41:50 CST 2004


Noah,

You could authenticate once and generate a short-lived unique ID at the 
end of the URL specific to that login.

or just add the name and password at the end of the URL

http://www.domain.com/somePage.php?uname=sarah&password=s00pers3cr37

--
David





On Feb 4, 2004, at 2:44 PM, noah wrote:

> I hope this isn't something that's already been discussed -- I've 
> fallen behind a little on my reading (only 2482 messages behind). I 
> searched for it but didn't find anything. If it has been discussed, 
> please forgive me and point me to the subject. Thanks.
>
> In case it hasn't been discussed, and in case anyone doesn't know 
> already, the latest IE/Windows update has disabled URLs in the format:
>
> <http://username:password@domain.com/>
>
> I've tested it, and sure enough, they don't work. I get an "Invalid 
> Syntax Error," and the standard IE "This page can not be displayed" 
> page (even though I have a custom error page defined, but I'm not 
> worrying about annoying little things like that yet).
>
> My problem is that I have a small PHP application that requires that 
> the username and password be sent through the URL in order to work. 
> Most of the app is protected with session-based authentication, but 
> for certain pages, I can't include session-calling code at the top, so 
> I put them in an .htaccess/.htpasswd protected directory, and pass the 
> username and password through the URL.
>
> I realise that this is not particularly secure. These aren't state 
> secrets I'm protecting, though, so I'm not worried about that.
>
> So my question is, is there another way to send the username/password 
> transparently through PHP? I can see that the variables exist in the 
> fetched page as:
>
> _SERVER["PHP_AUTH_USER"] and _SERVER["PHP_AUTH_PW"]
>
> but I can't figure out how to send the values to the page I'm 
> requesting. I've found plenty of scripts to add users, add groups, 
> etc., but nothing to just retrieve a protected page without having to 
> type the username/password.
>
> Any advice greatly appreciated.
>
> Cheers,
> Noah
> -- 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester and 
> archives of thelist go to: http://lists.evolt.org Workers of the Web, 
> evolt !



More information about the thelist mailing list