Solved

Including Login id and password within a URL..

Posted on 2006-06-16
19
4,499 Views
Last Modified: 2013-11-18
Hi,

I have a program that collects a bunch of URLs for me to navigate at a later time. However I am having issues when navigating to secured sites, where a userid, and password is required. So I was wondering if anyone knows the syntax of how to include the login id and password within the URL, so that I am not faced with it for each URL whose web-page I am trying to download.

I appreciate any insight into this.

Thanks...
0
Comment
Question by:BMaadarani
  • 8
  • 5
  • 4
  • +2
19 Comments
 
LVL 30

Assisted Solution

by:callrs
callrs earned 250 total points
ID: 16923747
Quote: http://windowsxp.mvps.org/IEFAQ.htm#urlpassword    ->
"Invalid syntax error" if username & password are part of a URL

This is a result of an important security update (832894). This update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or in Windows Explorer after you install the MS04-004 Cumulative Security Update for Internet Explorer (832894): http(s)://username:password@server/resource.ext
<--

Read the rest of the above article -- it has a workaround, like this listed at http://support.microsoft.com/?kbid=834489 :
-->
How to disable the new default behavior for handling user information in HTTP or HTTPS URLs
...create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0.• For all users of the program, set the value in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
• For the current user of the program only, set the value in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
<--

Only other way would be a program that can auto-logon for you.  Check httrack documentation, see if it has login feature.
0
 
LVL 30

Expert Comment

by:callrs
ID: 16923784
You can also enable the autocomplete for username & password (but the password is easily locally), but that's not exactly what you need...

If the registry method doesn't work, then maybe the website doesn't support username/password in the url method. In that case you can use some sort of  script to auto-fill the username & password fields of the form...
0
 
LVL 30

Expert Comment

by:callrs
ID: 16923794
Oops: "easily locally" -> "easily extracted locally"
0
 
LVL 10

Expert Comment

by:ClickCentric
ID: 16925437
This is entirely site dependent.  It depends on how the site is requesting the username/password and which method is being used to transmit it to the server.  Most will not allow it to be in the url as it's a security risk to do so since anyone along the line could see the url.
0
 
LVL 30

Expert Comment

by:callrs
ID: 16925475
http://www.httrack.com/html/faq.html#QT6  "Using user:password@address is not working!"
http://www.httrack.com/html/faq.html#QM6 "Can I use username/password authentication on a site?"
for program called httrack which can download webpages that require username & password.

http://www.faqs.org/rfcs/rfc2396.html     RFC 2396 (rfc2396) - Uniform Resource Identifiers (URI): Generic Syntax
"Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of   authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used."

Firefox allows the username & password in the URL:
http://weblogs.asp.net/mtrova/archive/2004/05/11/129901.aspx     Marco Trova's weblog : Mozilla developers smarter than IE developers -->
Mozilla developers smarter than IE developers
Ian Bicking on his blog: The dots in usernames and passwords encoded in URLs are now escaped (so http://www.mozilla.org:roadmap.html@evilscam.net/ becomes http://www%2Emozilla%2Eorg%3Aroadmap%2Ehtml@evilscam.net/), making phishing scams easier to detect (bug 240754).

This is a much more clever solution than simply removing the ability to specify usernames and passwords in URLs (something which I do in fact use every so often).
<--
referenced from:
http://blog.monstuff.com/archives/000138.html     Curiosity is bliss: Upcoming fix for IE url spoofing bug
0
 
LVL 4

Expert Comment

by:John-Bayles
ID: 16926368
The Registery Fix:
http://www.ultrapasswords.com/IEUserPassEnable.reg
you can enter the urls with the follwoing syntax in IE:
http(s)://username:password@server/resource.ext
0
 
LVL 10

Accepted Solution

by:
ClickCentric earned 250 total points
ID: 16926733
I can't seem to stress this enough...that is solely for webserver authentications, not for site logins.  If you go to a site that has a little box on it where you enter your username and password, no registry fix or patch or setting change is going to help as it's a server-side issue and not a client-side one.  Whether or not it can be passed in the url is entirely up to the designers of the site.  But, as I mentioned, most won't allow it because it's a security risk.
0
 
LVL 30

Expert Comment

by:callrs
ID: 16926795
I said same in my second post here.  But the fact that httrack and Firefox can and do work with such urls means that the url DOES work with many sites. So it won't hurt to try.
0
 
LVL 10

Expert Comment

by:ClickCentric
ID: 16926820
"Many" is relative.  Most will not as it's a security issue.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Expert Comment

by:vainternet
ID: 16932307
This is how to get past the .htaccess kind using ASP, i've found these scripts work best in the CGI bin

replace <url>,<username>,<password> etc

<%
  Response.Buffer = True
  Dim objXMLHTTP, xml

  Set xml = Server.CreateObject("Microsoft.XMLHTTP")

  xml.Open "GET", "<url>", False, _
           "<username>", "<password>"
 
  ' Actually Sends the request and returns the data:
  xml.Send

  Response.Write xml.responseText

  Set xml = Nothing
%>

if it is login using post, or get you would need to use this code

<%
  Response.Buffer = True
  Dim objXMLHTTP, xml
  Set xml = Server.CreateObject("Microsoft.XMLHTTP")
 
  ' Notice the two changes in the next two lines:
  xml.Open "POST", "<url>", False
'If you are using GET
'xml.Open "GET", "<url>", False
  xml.Send "usernamefieldname=<username>&passwordfieldname=<password>"
 
  Response.Write xml.responseText

  Set xml = Nothing
   
%>

Or for PHP

<?

$URL="<url>";  
$ch = curl_init();    
curl_setopt($ch, CURLOPT_URL,"http://$URL");  
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_POSTFIELDS, "usernamefieldname=<username>&passwordfieldname=<password>" curl_exec ($ch);      
curl_close ($ch);  


?>

Hope this works for you, let me know how you get on!

http://www.vainternet.co.uk
0
 

Author Comment

by:BMaadarani
ID: 16934804
Hello again,

Sorry, I was away for  the week-end. My program collects a bunch of url links, and saves them to a file. Another program picks-up the resulting file, establishes a background IE session and attempts to download the pages that are listed within the URL file list.

Clearly, if the site from which the URLs came from is secured, then the background session must take into consideration the fact that a UserId and password are required to be entered.

Now, I can modify the list to include the ID and password, the question is: what is the syntax?

Thanks again
BM
0
 
LVL 30

Expert Comment

by:callrs
ID: 16934875
E.g.:
http(s)://username:password@www.someSite.com/someResource.ext
etc.
See 1st post
 
0
 

Author Comment

by:BMaadarani
ID: 16934917
0
 
LVL 10

Expert Comment

by:ClickCentric
ID: 16934972
Wait, before this goes any further, go to one of the urls in question.  Do you get a popup window asking for a username and password or is there a login section on the page?  If it's the former, the above will work, if it's the latter, it most likely won't.  Also, if it's the latter, there's likely no easy way to go about this as a truly secure site is not going to let you include the username and password in the url.  If it is opening a whole instance of IE to download these, then a password manager should be able to intervene and fill in the passwords to get the script going again, but the downloader would have to take into account the fact that the first screen it saw wouldn't be the right one and it would have to log in and then redirect again to the desired page.  So, if these are webserver authentications, they can probably be fairly easily worked around...if they're site logins, it's going to be like pulling teeth from a polar bear.
0
 

Author Comment

by:BMaadarani
ID: 16935011
Here is an example of what I get when I issue the URL on its own.

<
  Your login session has expired.
Why does my session expire?
Login sessions expire for two reasons.

For your security, your Yahoo! Mail session expires a maximum of twenty-four hours after you have logged in. If you have chosen in your Yahoo! User Information (found be visiting "My Account" next to the Yahoo! Mail logo at the top of this page) to be prompted for a password more frequently than every day, your session will expire after the specified amount of time.
If you do not accept the cookies set on login or your computer is not configured to accept cookies, your session will expire almost immediately. We use cookies (small pieces of site information) to assist us in user authentication and in saving configuration information. Cookies are required for Yahoo! Mail.
If you see this message immediately after logging in, you should check the following:

Check to see that your computer system time is accurate. Cookies are time sensitive and may not work if your computer date is incorrect by a large amount.
Make sure that your browser is configured to accept cookies or that you agree to accept cookies during the login process.
Turn off any third party programs or control panels that automatically reject cookies.
Re-login to Yahoo! Mail>


Including the username an password as suggested results in the same result. The questioin is: Is there a way to maintain the cookies from the previous session, to make the new IE session think that it is still logged in?
 
0
 
LVL 30

Expert Comment

by:callrs
ID: 16935204
Is that a free yahoo account? If so, Yahoo's servers don't allow that type of login.
Try a different site, and do it in Firefox: http://www.mozilla.com/firefox/
If it won't work in Firefox, then it won'l likely work in other programs for the particular site.
 
0
 

Author Comment

by:BMaadarani
ID: 16935248
Yes, the Yahoo account is one of the sites agains which I am testing. I will try other sites to see if your suggestion works. If it does, it will be great...
0
 
LVL 10

Expert Comment

by:ClickCentric
ID: 16938624
As I said before, this won't work.  While it is theoretically possible to do this, it would require, at the least, that the user 'teaches' the program how to log into a specific site as even the form field names will vary from one site to the next.  Some sites will allow this to work via cookie, others will not and will require logging in each time.  There's too much variance to rely on something as simple as the url.  You'd need to directly interact with the site.
0
 
LVL 30

Expert Comment

by:callrs
ID: 16940789
You can use a password manager that auto-enters the passwords for you
www.accountlogon.com/
http://passwordsafe.sourceforge.net/
Google for others...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now