[Web4lib] creating a link that bypasses username and password page
Antonio Barrera (abarrera at Princeton.EDU)
abarrera at Princeton.EDU
Sat Jul 8 23:04:05 EDT 2006
I remember a couple of years ago, Internet Explorer had a security flaw (shocker) which allowed spoofing of URLs. The flaw was with URLs in the form:
http://username:password@host.domain.tld/path/to/file
At the time IE responded by disallowing the URLs regardless if it was safe. I'd check up on that before using the scheme.
Here's article written as soon as the flaw was discovered:
http://news.com.com/2100-7355_3-5150321.html
I'm following this thread myself to find a better way for these password issues, as I have primarily been using the Javascrript auto form submit method.
Antonio Barrera
Library Web Development Manager
Princeton University
----- Original Message -----
From: Dan Field <dof at llgc.org.uk>
Date: Saturday, July 8, 2006 5:56 am
Subject: Re: [Web4lib] creating a link that bypasses username and password page
To: Thomas Dowling <tdowling at ohiolink.edu>
Cc: web4lib at webjunction.org
>
> Thomas Dowling wrote:
> > On 7/7/2006 6:36 AM, Dan Field wrote:
> >
> > > A URL can be constructed for HTTP authentication (as found in
> Apache>> .htaccess files for example) like so:
> >>
> >> http://username:password@host.domain.tld/path/to/file
> >>
> >
> > FWIW, while this parallels the userinfo part of other URI
> schemes, it is
> > not defined in the HTTP scheme. Browsers may or may not support
> it; I
> > know from experience that some firewalls do not.
>
> Thanks Thomas. I wasn't aware of that. Something to note for the
> future!
> --
> Dan Field <dof at llgc.org.uk> Tel. +44 1970
> 632 582
> Datblygwr Systemau Systems
> DeveloperLlyfrgell Genedlaethol Cymru National
> Library of Wales
>
> _______________________________________________
> Web4lib mailing list
> Web4lib at webjunction.org
> http://lists.webjunction.org/web4lib/
>
More information about the Web4lib
mailing list