Home / server / Questions / 371907
Accepted
ripper234
Asked: 2012-03-22 03:16:58 +0800 CST

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

  • 772

I believe this is not possible, but someone I know insisted that it works. I don't even know what parameters to try, and I haven't found this documented anywhere.

I tried http://myserver.com/~user=username&password=mypassword but it doesn't work.

Can you confirm that it's not in fact possible to pass the user/pass via HTTP parameters (GET or POST)?

http authentication http-basic-authentication

5 Answers

  1. Best Answer

    It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:[email protected]/ -- this sends the credentials in the standard HTTP "Authorization" header.

    It's possible that whoever you were speaking to was thinking of a custom module or code that looked at the query parameters and verified the credentials. This isn't standard HTTP auth, though, it's an application-specific thing.

    • 308

  2. http://username:[email protected] will works for FireFox, Chrome, Safari BUT not for IE.

    Microsoft Knowledge Base

    • 24

  3. Passing Basic authentication parameters in URL not recommended

    There is an Authorization header field for this purpose check it here: http header list

    How to use it is written here: Basic access authentication

    There you can also read that although it is still supported by some browsers the suggested solution of adding the Basic authorization credentials in the url is not recommended.

    Read also chapter 4.1 in RFC 2617 - HTTP Authentication for more details on why NOT to use Basic Authentication.

    Passing authentication parameters in query string

    When using OAuth or other authentication services you can often also send your access token in a query string instead of in an authorization header, so something like:

    GET https://www.example.com/api/v1/users/1?access_token=1234567890abcdefghijklmnopqrstuvwxyzABCD
    • 20

  4. In your example, the URL http://myserver.com/ Would be:

    http://username:[email protected]/myserver.com/

    As of 12/19/2019 I have tested this and it works for Chrome Firefox Safari

    But not for IE, which no longer support basic authentication. I implemented this using SSRS 2017, which hides the username and password. I would recommend you test this with an Incognito Browser. Test with and without the password in different Incognito browsers. The one without the password should ask you for the password.

    • 0

  5. It is (obviously) possible to send any string in the GET parameters, although not recommended to send login and password as can make it highly visible, especially if it's not in an AJAX request.

    You will however, need to then code the server page to extract the login and password and then validate and use them in whatever way is required.

    • -1