INFO: URL Syntax for Authentication Without Dialog Prompt

• Microsoft Internet Explorer (Programming) versions 3.0, 3.01, 3.02, 4.0, 4.01, 4.01 SP1, 4.01 SP2, 5

SUMMARY

Internet Explorer versions 3.0 and higher support the URL syntax:

http://username:password@server/resource.ext

MORE INFORMATION

Even though this syntax is actually part of the URL specification for the FTP protocol (not HTTP), it was common practice to support the syntax for HTTP requests with browsers even before the release of Internet Explorer 3.0 .

The Win32 Internet API (WinInet) function InternetOpenUrl also accepts HTTP URLs of this form. However, the other WinInet APIs, such as HttpOpenRequest, require that the program parse the URL and make the calls necessary for authentication. For more information, please refer to the "HTTP Authentication" (HTTPAUTH) sample on the MSDN Online Workshop at:

http://msdn.microsoft.com/downloads/samples/internet/networking/httpauth/default.asp

NOTE: Please be aware that the use of this URL syntax has potential security implications, as it exposes the user's name and password in plain text within the URL for the displayed page.

An example of the security danger is that in a cross-frame or hidden-frame scenario, script in pages from visited Web sites can easily access the URL, parse it, and determine the username and password for other sites.

NOTE: The following IE 3.02 security patches are known to break this syntax.

• Page Redirect Patch - November, 1997
• Year 2000 Update - May, 1998

REFERENCES

URL specification from RFC 2308: http://ds.internic.net/rfc/rfc2308.txt

© Microsoft Corporation 1999, All Rights Reserved.
Contributions by Jason Strayer, Microsoft Corporation

Additional query words:

Keywords : kbIE301 kbIE400 kbIE401 kbSecurity kbWinInet kbIE302 kbIE401sp1 kbIE500dp1 kbGrpInet kbDSupport
Version : WINDOWS:3.0,3.01,3.02,4.0,4.01,4.01 SP1,4.01 SP2,5
Platform : WINDOWS
Issue type : kbinfo