Incorporating username/password in http URL OR GET ??

Albert Lunde Albert-Lunde at nwu.edu
Thu Feb 29 23:41:28 EST 1996


> This may be a simple question, but I can't find the answer.
> I am trying to write a script which will make an HTTP connection
> to a page which requires username+password (using the .htaccess protocols),
> and automatically log in the user.  I know in the URL spec for some types
> of logins this can be done in the form of (e.g.)
>         telnet://username:password@host.domain
> But I cannot find anything which says this will work for HTTP, and in fact
> I have not been able to make it work.  I could script up a complicated GET
> command if that is the solution, but I don't know the correct format to use
> I have spent a couple hours on this so far, and decided to turn to this
> collection of experts for assistance.  Can anyone help me?

There are documents which give a generic syntax for Internet URL
schemes like the above. From RFC1738:

>While the syntax for the rest of the URL may vary depending on the
>particular scheme selected, URL schemes that involve the direct use
>of an IP-based protocol to a specified host on the Internet use a
>common syntax for the scheme-specific data:
>
>      //<user>:<password>@<host>:<port>/<url-path>

However, the syntax for specific URL schemes in the same document
(and others), uses two different BNF forms:

>login          = [ user [ ":" password ] "@" ] hostport
>hostport       = host [ ":" port ]

Of the predefined schemes listed (http, ftp, news, nntp, telnet, gopher
wais, mailto, file, prospero), only ftp: and telnet: URLs use the login
form, which allows for a password. http: uses only hostport.

So the syntax in the spec doesn't allow for what you want. See:
http://www.w3.org/hypertext/WWW/Addressing/Addressing.html
http://www.w3.org/hypertext/WWW/Addressing/rfc1738.txt

In the HTTP 1.0 protocol (with Basic Authentication) the user name and
password are not sent as part of the URL on the GET line, but rather in a
"Authorization:" header sent in response to a "WWW-Authenticate:" header
sent when a prior request failed.

The HTTP spec also agrees that the http: URL has the form:

  http_URL       = "http:" "//" host [ ":" port ] [ abs_path ]

See:
http://www.w3.org/hypertext/WWW/Protocols/Overview.html
http://www.w3.org/hypertext/WWW/Protocols/HTTP/1.0/spec.html

While you could write a custom client that would do a GET with a username
and password by sending the right headers with the request, trying to use
the generic URL syntax to do this is not going to work.

(There are other authorization schemes in the works besides Basic, but it
is still widely used.)

(Also note: While the spec for telnet URLs  allows for a username and
password, you are unlikely to find this implemented.)

---
    Albert Lunde                      Albert-Lunde at nwu.edu




More information about the Web4lib mailing list