Include login in url (...how?)

[im]

When you go to a secure site you get the login window asking for user and password.
Can you include the login information in url so the window doesn't pop-up?

im

[Jukka K. Korpela]

brucie <bruc...@usenet.alt-html.org> wrote:

> http://username:pass...@example.com/

Beware that this
a) does not comply with the format of URLs as defined in RFCs
(although it is commonly supported by browsers)
b) includes a major security threat; for example, URLs are often stored
into different caches, where they can be retrieved from.

--
Yucca, http://www.cs.tut.fi/~jkorpela/

[Jukka K. Korpela]

brucie <bruc...@usenet.alt-html.org> wrote:

> what about RFC2396 section 3.2.2 (although its not recommended).

It defines the generic format of URLs. Not all URL schemes use the full
syntax of the generic format; actually, most don't. And the http: scheme
is still defined by RFC 1738, which defines the syntax of http: URLs in a
manner that does not allow a :<password>@<host> part.

>> b) includes a major security threat; for example, URLs are often stored
>> into different caches, where they can be retrieved from.
>

> i thought that was obvious

Obvious to you and me, but I'm afraid that anyone who asks for the
technical question hasn't considered the more fundamental problems yet.

--
Yucca, http://www.cs.tut.fi/~jkorpela/

[Randall Bart]

'Twas Tue, 23 Sep 2003 07:51:45 +0000 (UTC) when all
comp.infosystems.www.authoring.misc stood in awe as "Jukka K. Korpela"
<jkor...@cs.tut.fi> uttered:

>> http://username:pass...@example.com/
>
>Beware that this
>a) does not comply with the format of URLs as defined in RFCs
> (although it is commonly supported by browsers)

Rough consensus and running code. It works, and no one is going to drop
support for it.

>b) includes a major security threat; for example, URLs are often stored
> into different caches, where they can be retrieved from.

It's only a "major" security threat if you make it one. If I store it in
the bookmarks on my PC, it's as secure as being stored in file called
"passwords". It's for applications where the security of the PC is higher
than the security needs of username and password.
--
RB |\ © Randall Bart
aa |/ ad...@RandallBart.spam.com Bart...@att.spam.net
nr |\ Please reply without spam I LOVE YOU 1-917-715-0831
dt ||\ http://RandallBart.com/ Ånåheim Ångels 2002 World Chåmps!
a |/ Multiple sclerosis: http://www.cbc.ca/webone/alison/
l |\ DOT-HS-808-065 The Church Of The Unauthorized Truth:
l |/ MS^7=6/28/107 http://yg.cotut.com mailto:s...@cotut.com

[Jukka K. Korpela]

Randall Bart <Bart...@att.spam.net> wrote:

>>Beware that this
>>a) does not comply with the format of URLs as defined in RFCs
>>(although it is commonly supported by browsers)
>
> Rough consensus and running code. It works, and no one is going to
> drop support for it.

Can you guarantee that, given the facts I mentioned? (Lack of
specification, and major security problems.)

>>b) includes a major security threat; for example, URLs are often
>>stored into different caches, where they can be retrieved from.
>
> It's only a "major" security threat if you make it one.

The URL RFCs repeatedly and strongly warn against the inclusion of a
password into a URL (in cases where it is permitted by the syntax), so I
don't think it's just a matter of what I do.

> If I store it
> in the bookmarks on my PC, it's as secure as being stored in file
> called "passwords".

That is, it is not secure at all. But I digress.

> It's for applications where the security of the
> PC is higher than the security needs of username and password.

May I remind you that the topic area is miscellaneous questions about WWW
authoring? Specifically, not about the use of a browser, but about
creating World Wide Web pages and applications.

--
Yucca, http://www.cs.tut.fi/~jkorpela/