• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4857
  • Last Modified:

Including Login id and password within a URL..

Hi,

I have a program that collects a bunch of URLs for me to navigate at a later time. However I am having issues when navigating to secured sites, where a userid, and password is required. So I was wondering if anyone knows the syntax of how to include the login id and password within the URL, so that I am not faced with it for each URL whose web-page I am trying to download.

I appreciate any insight into this.

Thanks...
0
BMaadarani
Asked:
BMaadarani
  • 8
  • 5
  • 4
  • +2
2 Solutions
 
callrsCommented:
Quote: http://windowsxp.mvps.org/IEFAQ.htm#urlpassword    ->
"Invalid syntax error" if username & password are part of a URL

This is a result of an important security update (832894). This update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or in Windows Explorer after you install the MS04-004 Cumulative Security Update for Internet Explorer (832894): http(s)://username:password@server/resource.ext
<--

Read the rest of the above article -- it has a workaround, like this listed at http://support.microsoft.com/?kbid=834489 :
-->
How to disable the new default behavior for handling user information in HTTP or HTTPS URLs
...create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0.• For all users of the program, set the value in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
• For the current user of the program only, set the value in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
<--

Only other way would be a program that can auto-logon for you.  Check httrack documentation, see if it has login feature.
0
 
callrsCommented:
You can also enable the autocomplete for username & password (but the password is easily locally), but that's not exactly what you need...

If the registry method doesn't work, then maybe the website doesn't support username/password in the url method. In that case you can use some sort of  script to auto-fill the username & password fields of the form...
0
 
callrsCommented:
Oops: "easily locally" -> "easily extracted locally"
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
ClickCentricCommented:
This is entirely site dependent.  It depends on how the site is requesting the username/password and which method is being used to transmit it to the server.  Most will not allow it to be in the url as it's a security risk to do so since anyone along the line could see the url.
0
 
callrsCommented:
http://www.httrack.com/html/faq.html#QT6  "Using user:password@address is not working!"
http://www.httrack.com/html/faq.html#QM6 "Can I use username/password authentication on a site?"
for program called httrack which can download webpages that require username & password.

http://www.faqs.org/rfcs/rfc2396.html     RFC 2396 (rfc2396) - Uniform Resource Identifiers (URI): Generic Syntax
"Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of   authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used."

Firefox allows the username & password in the URL:
http://weblogs.asp.net/mtrova/archive/2004/05/11/129901.aspx     Marco Trova's weblog : Mozilla developers smarter than IE developers -->
Mozilla developers smarter than IE developers
Ian Bicking on his blog: The dots in usernames and passwords encoded in URLs are now escaped (so http://www.mozilla.org:roadmap.html@evilscam.net/ becomes http://www%2Emozilla%2Eorg%3Aroadmap%2Ehtml@evilscam.net/), making phishing scams easier to detect (bug 240754).

This is a much more clever solution than simply removing the ability to specify usernames and passwords in URLs (something which I do in fact use every so often).
<--
referenced from:
http://blog.monstuff.com/archives/000138.html     Curiosity is bliss: Upcoming fix for IE url spoofing bug
0
 
John-BaylesCommented:
The Registery Fix:
http://www.ultrapasswords.com/IEUserPassEnable.reg
you can enter the urls with the follwoing syntax in IE:
http(s)://username:password@server/resource.ext
0
 
ClickCentricCommented:
I can't seem to stress this enough...that is solely for webserver authentications, not for site logins.  If you go to a site that has a little box on it where you enter your username and password, no registry fix or patch or setting change is going to help as it's a server-side issue and not a client-side one.  Whether or not it can be passed in the url is entirely up to the designers of the site.  But, as I mentioned, most won't allow it because it's a security risk.
0
 
callrsCommented:
I said same in my second post here.  But the fact that httrack and Firefox can and do work with such urls means that the url DOES work with many sites. So it won't hurt to try.
0
 
ClickCentricCommented:
"Many" is relative.  Most will not as it's a security issue.
0
 
vainternetCommented:
This is how to get past the .htaccess kind using ASP, i've found these scripts work best in the CGI bin

replace <url>,<username>,<password> etc

<%
  Response.Buffer = True
  Dim objXMLHTTP, xml

  Set xml = Server.CreateObject("Microsoft.XMLHTTP")

  xml.Open "GET", "<url>", False, _
           "<username>", "<password>"
 
  ' Actually Sends the request and returns the data:
  xml.Send

  Response.Write xml.responseText

  Set xml = Nothing
%>

if it is login using post, or get you would need to use this code

<%
  Response.Buffer = True
  Dim objXMLHTTP, xml
  Set xml = Server.CreateObject("Microsoft.XMLHTTP")
 
  ' Notice the two changes in the next two lines:
  xml.Open "POST", "<url>", False
'If you are using GET
'xml.Open "GET", "<url>", False
  xml.Send "usernamefieldname=<username>&passwordfieldname=<password>"
 
  Response.Write xml.responseText

  Set xml = Nothing
   
%>

Or for PHP

<?

$URL="<url>";  
$ch = curl_init();    
curl_setopt($ch, CURLOPT_URL,"http://$URL");  
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_POSTFIELDS, "usernamefieldname=<username>&passwordfieldname=<password>" curl_exec ($ch);      
curl_close ($ch);  


?>

Hope this works for you, let me know how you get on!

http://www.vainternet.co.uk
0
 
BMaadaraniAuthor Commented:
Hello again,

Sorry, I was away for  the week-end. My program collects a bunch of url links, and saves them to a file. Another program picks-up the resulting file, establishes a background IE session and attempts to download the pages that are listed within the URL file list.

Clearly, if the site from which the URLs came from is secured, then the background session must take into consideration the fact that a UserId and password are required to be entered.

Now, I can modify the list to include the ID and password, the question is: what is the syntax?

Thanks again
BM
0
 
callrsCommented:
E.g.:
http(s)://username:password@www.someSite.com/someResource.ext
etc.
See 1st post
 
0
 
ClickCentricCommented:
Wait, before this goes any further, go to one of the urls in question.  Do you get a popup window asking for a username and password or is there a login section on the page?  If it's the former, the above will work, if it's the latter, it most likely won't.  Also, if it's the latter, there's likely no easy way to go about this as a truly secure site is not going to let you include the username and password in the url.  If it is opening a whole instance of IE to download these, then a password manager should be able to intervene and fill in the passwords to get the script going again, but the downloader would have to take into account the fact that the first screen it saw wouldn't be the right one and it would have to log in and then redirect again to the desired page.  So, if these are webserver authentications, they can probably be fairly easily worked around...if they're site logins, it's going to be like pulling teeth from a polar bear.
0
 
BMaadaraniAuthor Commented:
Here is an example of what I get when I issue the URL on its own.

<
  Your login session has expired.
Why does my session expire?
Login sessions expire for two reasons.

For your security, your Yahoo! Mail session expires a maximum of twenty-four hours after you have logged in. If you have chosen in your Yahoo! User Information (found be visiting "My Account" next to the Yahoo! Mail logo at the top of this page) to be prompted for a password more frequently than every day, your session will expire after the specified amount of time.
If you do not accept the cookies set on login or your computer is not configured to accept cookies, your session will expire almost immediately. We use cookies (small pieces of site information) to assist us in user authentication and in saving configuration information. Cookies are required for Yahoo! Mail.
If you see this message immediately after logging in, you should check the following:

Check to see that your computer system time is accurate. Cookies are time sensitive and may not work if your computer date is incorrect by a large amount.
Make sure that your browser is configured to accept cookies or that you agree to accept cookies during the login process.
Turn off any third party programs or control panels that automatically reject cookies.
Re-login to Yahoo! Mail>


Including the username an password as suggested results in the same result. The questioin is: Is there a way to maintain the cookies from the previous session, to make the new IE session think that it is still logged in?
 
0
 
callrsCommented:
Is that a free yahoo account? If so, Yahoo's servers don't allow that type of login.
Try a different site, and do it in Firefox: http://www.mozilla.com/firefox/
If it won't work in Firefox, then it won'l likely work in other programs for the particular site.
 
0
 
BMaadaraniAuthor Commented:
Yes, the Yahoo account is one of the sites agains which I am testing. I will try other sites to see if your suggestion works. If it does, it will be great...
0
 
ClickCentricCommented:
As I said before, this won't work.  While it is theoretically possible to do this, it would require, at the least, that the user 'teaches' the program how to log into a specific site as even the form field names will vary from one site to the next.  Some sites will allow this to work via cookie, others will not and will require logging in each time.  There's too much variance to rely on something as simple as the url.  You'd need to directly interact with the site.
0
 
callrsCommented:
You can use a password manager that auto-enters the passwords for you
www.accountlogon.com/
http://passwordsafe.sourceforge.net/
Google for others...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 8
  • 5
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now