BMaadarani
asked on
Including Login id and password within a URL..
Hi,
I have a program that collects a bunch of URLs for me to navigate at a later time. However I am having issues when navigating to secured sites, where a userid, and password is required. So I was wondering if anyone knows the syntax of how to include the login id and password within the URL, so that I am not faced with it for each URL whose web-page I am trying to download.
I appreciate any insight into this.
Thanks...
I have a program that collects a bunch of URLs for me to navigate at a later time. However I am having issues when navigating to secured sites, where a userid, and password is required. So I was wondering if anyone knows the syntax of how to include the login id and password within the URL, so that I am not faced with it for each URL whose web-page I am trying to download.
I appreciate any insight into this.
Thanks...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oops: "easily locally" -> "easily extracted locally"
This is entirely site dependent. It depends on how the site is requesting the username/password and which method is being used to transmit it to the server. Most will not allow it to be in the url as it's a security risk to do so since anyone along the line could see the url.
http://www.httrack.com/html/faq.html#QT6 "Using user:password@address is not working!"
http://www.httrack.com/html/faq.html#QM6 "Can I use username/password authentication on a site?"
for program called httrack which can download webpages that require username & password.
http://www.faqs.org/rfcs/rfc2396.html RFC 2396 (rfc2396) - Uniform Resource Identifiers (URI): Generic Syntax
"Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used."
Firefox allows the username & password in the URL:
http://weblogs.asp.net/mtrova/archive/2004/05/11/129901.aspx Marco Trova's weblog : Mozilla developers smarter than IE developers -->
Mozilla developers smarter than IE developers
Ian Bicking on his blog: The dots in usernames and passwords encoded in URLs are now escaped (so http://www.mozilla.org:roadmap.html@evilscam.net/ becomes http://www%2Emozilla%2Eorg%3Aroadmap%2Ehtml@evilscam.net/), making phishing scams easier to detect (bug 240754).
This is a much more clever solution than simply removing the ability to specify usernames and passwords in URLs (something which I do in fact use every so often).
<--
referenced from:
http://blog.monstuff.com/archives/000138.html Curiosity is bliss: Upcoming fix for IE url spoofing bug
http://www.httrack.com/html/faq.html#QM6 "Can I use username/password authentication on a site?"
for program called httrack which can download webpages that require username & password.
http://www.faqs.org/rfcs/rfc2396.html RFC 2396 (rfc2396) - Uniform Resource Identifiers (URI): Generic Syntax
"Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used."
Firefox allows the username & password in the URL:
http://weblogs.asp.net/mtrova/archive/2004/05/11/129901.aspx Marco Trova's weblog : Mozilla developers smarter than IE developers -->
Mozilla developers smarter than IE developers
Ian Bicking on his blog: The dots in usernames and passwords encoded in URLs are now escaped (so http://www.mozilla.org:roadmap.html@evilscam.net/ becomes http://www%2Emozilla%2Eorg%3Aroadmap%2Ehtml@evilscam.net/), making phishing scams easier to detect (bug 240754).
This is a much more clever solution than simply removing the ability to specify usernames and passwords in URLs (something which I do in fact use every so often).
<--
referenced from:
http://blog.monstuff.com/archives/000138.html Curiosity is bliss: Upcoming fix for IE url spoofing bug
The Registery Fix:
http://www.ultrapasswords.com/IEUserPassEnable.reg
you can enter the urls with the follwoing syntax in IE:
http(s)://username:passwor
http://www.ultrapasswords.com/IEUserPassEnable.reg
you can enter the urls with the follwoing syntax in IE:
http(s)://username:passwor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I said same in my second post here. But the fact that httrack and Firefox can and do work with such urls means that the url DOES work with many sites. So it won't hurt to try.
"Many" is relative. Most will not as it's a security issue.
This is how to get past the .htaccess kind using ASP, i've found these scripts work best in the CGI bin
replace <url>,<username>,<password
<%
Response.Buffer = True
Dim objXMLHTTP, xml
Set xml = Server.CreateObject("Micro
xml.Open "GET", "<url>", False, _
"<username>", "<password>"
' Actually Sends the request and returns the data:
xml.Send
Response.Write xml.responseText
Set xml = Nothing
%>
if it is login using post, or get you would need to use this code
<%
Response.Buffer = True
Dim objXMLHTTP, xml
Set xml = Server.CreateObject("Micro
' Notice the two changes in the next two lines:
xml.Open "POST", "<url>", False
'If you are using GET
'xml.Open "GET", "<url>", False
xml.Send "usernamefieldname=<userna
Response.Write xml.responseText
Set xml = Nothing
%>
Or for PHP
<?
$URL="<url>";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"http://$URL");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "usernamefieldname=<userna
curl_close ($ch);
?>
Hope this works for you, let me know how you get on!
http://www.vainternet.co.uk
replace <url>,<username>,<password
<%
Response.Buffer = True
Dim objXMLHTTP, xml
Set xml = Server.CreateObject("Micro
xml.Open "GET", "<url>", False, _
"<username>", "<password>"
' Actually Sends the request and returns the data:
xml.Send
Response.Write xml.responseText
Set xml = Nothing
%>
if it is login using post, or get you would need to use this code
<%
Response.Buffer = True
Dim objXMLHTTP, xml
Set xml = Server.CreateObject("Micro
' Notice the two changes in the next two lines:
xml.Open "POST", "<url>", False
'If you are using GET
'xml.Open "GET", "<url>", False
xml.Send "usernamefieldname=<userna
Response.Write xml.responseText
Set xml = Nothing
%>
Or for PHP
<?
$URL="<url>";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"http://$URL");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "usernamefieldname=<userna
curl_close ($ch);
?>
Hope this works for you, let me know how you get on!
http://www.vainternet.co.uk
ASKER
Hello again,
Sorry, I was away for the week-end. My program collects a bunch of url links, and saves them to a file. Another program picks-up the resulting file, establishes a background IE session and attempts to download the pages that are listed within the URL file list.
Clearly, if the site from which the URLs came from is secured, then the background session must take into consideration the fact that a UserId and password are required to be entered.
Now, I can modify the list to include the ID and password, the question is: what is the syntax?
Thanks again
BM
Sorry, I was away for the week-end. My program collects a bunch of url links, and saves them to a file. Another program picks-up the resulting file, establishes a background IE session and attempts to download the pages that are listed within the URL file list.
Clearly, if the site from which the URLs came from is secured, then the background session must take into consideration the fact that a UserId and password are required to be entered.
Now, I can modify the list to include the ID and password, the question is: what is the syntax?
Thanks again
BM
ASKER
Here is an example of a link:
http://ca.f550.mail.yahoo.com/ym/ShowLetter?MsgId=1060_32768_22_658_1015_0_1_3282_1102289996&Idx=1&YY=45068&inc=25&order=down&sort=date&pos=0&view=a&head=b&box=Sen
I have tried:
http://userid:password@ca.f550.mail.yahoo.com/ym/ShowLetter?MsgId=1060_32768_22_658_1015_0_1_3282_1102289996&Idx=1&YY=45068&inc=25&order=down&sort=date&pos=0&view=a&head=b&box=Sen
It did not work!!!!
http://ca.f550.mail.yahoo.com/ym/ShowLetter?MsgId=1060_32768_22_658_1015_0_1_3282_1102289996&Idx=1&YY=45068&inc=25&order=down&sort=date&pos=0&view=a&head=b&box=Sen
I have tried:
http://userid:password@ca.f550.mail.yahoo.com/ym/ShowLetter?MsgId=1060_32768_22_658_1015_0_1_3282_1102289996&Idx=1&YY=45068&inc=25&order=down&sort=date&pos=0&view=a&head=b&box=Sen
It did not work!!!!
Wait, before this goes any further, go to one of the urls in question. Do you get a popup window asking for a username and password or is there a login section on the page? If it's the former, the above will work, if it's the latter, it most likely won't. Also, if it's the latter, there's likely no easy way to go about this as a truly secure site is not going to let you include the username and password in the url. If it is opening a whole instance of IE to download these, then a password manager should be able to intervene and fill in the passwords to get the script going again, but the downloader would have to take into account the fact that the first screen it saw wouldn't be the right one and it would have to log in and then redirect again to the desired page. So, if these are webserver authentications, they can probably be fairly easily worked around...if they're site logins, it's going to be like pulling teeth from a polar bear.
ASKER
Here is an example of what I get when I issue the URL on its own.
<
Your login session has expired.
Why does my session expire?
Login sessions expire for two reasons.
For your security, your Yahoo! Mail session expires a maximum of twenty-four hours after you have logged in. If you have chosen in your Yahoo! User Information (found be visiting "My Account" next to the Yahoo! Mail logo at the top of this page) to be prompted for a password more frequently than every day, your session will expire after the specified amount of time.
If you do not accept the cookies set on login or your computer is not configured to accept cookies, your session will expire almost immediately. We use cookies (small pieces of site information) to assist us in user authentication and in saving configuration information. Cookies are required for Yahoo! Mail.
If you see this message immediately after logging in, you should check the following:
Check to see that your computer system time is accurate. Cookies are time sensitive and may not work if your computer date is incorrect by a large amount.
Make sure that your browser is configured to accept cookies or that you agree to accept cookies during the login process.
Turn off any third party programs or control panels that automatically reject cookies.
Re-login to Yahoo! Mail>
Including the username an password as suggested results in the same result. The questioin is: Is there a way to maintain the cookies from the previous session, to make the new IE session think that it is still logged in?
<
Your login session has expired.
Why does my session expire?
Login sessions expire for two reasons.
For your security, your Yahoo! Mail session expires a maximum of twenty-four hours after you have logged in. If you have chosen in your Yahoo! User Information (found be visiting "My Account" next to the Yahoo! Mail logo at the top of this page) to be prompted for a password more frequently than every day, your session will expire after the specified amount of time.
If you do not accept the cookies set on login or your computer is not configured to accept cookies, your session will expire almost immediately. We use cookies (small pieces of site information) to assist us in user authentication and in saving configuration information. Cookies are required for Yahoo! Mail.
If you see this message immediately after logging in, you should check the following:
Check to see that your computer system time is accurate. Cookies are time sensitive and may not work if your computer date is incorrect by a large amount.
Make sure that your browser is configured to accept cookies or that you agree to accept cookies during the login process.
Turn off any third party programs or control panels that automatically reject cookies.
Re-login to Yahoo! Mail>
Including the username an password as suggested results in the same result. The questioin is: Is there a way to maintain the cookies from the previous session, to make the new IE session think that it is still logged in?
Is that a free yahoo account? If so, Yahoo's servers don't allow that type of login.
Try a different site, and do it in Firefox: http://www.mozilla.com/firefox/
If it won't work in Firefox, then it won'l likely work in other programs for the particular site.
Try a different site, and do it in Firefox: http://www.mozilla.com/firefox/
If it won't work in Firefox, then it won'l likely work in other programs for the particular site.
ASKER
Yes, the Yahoo account is one of the sites agains which I am testing. I will try other sites to see if your suggestion works. If it does, it will be great...
As I said before, this won't work. While it is theoretically possible to do this, it would require, at the least, that the user 'teaches' the program how to log into a specific site as even the form field names will vary from one site to the next. Some sites will allow this to work via cookie, others will not and will require logging in each time. There's too much variance to rely on something as simple as the url. You'd need to directly interact with the site.
You can use a password manager that auto-enters the passwords for you
www.accountlogon.com/
http://passwordsafe.sourceforge.net/
Google for others...
www.accountlogon.com/
http://passwordsafe.sourceforge.net/
Google for others...
If the registry method doesn't work, then maybe the website doesn't support username/password in the url method. In that case you can use some sort of script to auto-fill the username & password fields of the form...