INFO: URL Syntax for Authentication Without Dialog Prompt

ID: Q200351


The information in this article applies to:
  • Microsoft Internet Explorer (Programming) versions 3.0, 3.01, 3.02, 4.0, 4.01, 4.01 SP1, 4.01 SP2, 5


SUMMARY

Internet Explorer versions 3.0 and higher support the URL syntax:

http://username:password@server/resource.ext
When navigating to this URL, Internet Explorer automatically uses the username and password specified to authenticate with the remote server. No dialogs are shown unless the username or password are deemed invalid by the server.


MORE INFORMATION

Even though this syntax is actually part of the URL specification for the FTP protocol (not HTTP), it was common practice to support the syntax for HTTP requests with browsers even before the release of Internet Explorer 3.0 .

The Win32 Internet API (WinInet) function InternetOpenUrl also accepts HTTP URLs of this form. However, the other WinInet APIs, such as HttpOpenRequest, require that the program parse the URL and make the calls necessary for authentication. For more information, please refer to the "HTTP Authentication" (HTTPAUTH) sample on the MSDN Online Workshop at:

http://msdn.microsoft.com/downloads/samples/internet/networking/httpauth/default.asp

NOTE: Please be aware that the use of this URL syntax has potential security implications, as it exposes the user's name and password in plain text within the URL for the displayed page.

An example of the security danger is that in a cross-frame or hidden-frame scenario, script in pages from visited Web sites can easily access the URL, parse it, and determine the username and password for other sites.

NOTE: The following IE 3.02 security patches are known to break this syntax.

  • Page Redirect Patch - November, 1997
  • Year 2000 Update - May, 1998
If use of this syntax is required in addition to the fixes listed above, then the only currently supported resolution is to upgrade to Internet Explorer 4 or 5.


REFERENCES

URL specification from RFC 2308: http://ds.internic.net/rfc/rfc2308.txt

© Microsoft Corporation 1999, All Rights Reserved.
Contributions by Jason Strayer, Microsoft Corporation

Additional query words:

Keywords : kbIE301 kbIE400 kbIE401 kbSecurity kbWinInet kbIE302 kbIE401sp1 kbIE500dp1 kbGrpInet kbDSupport
Version : WINDOWS:3.0,3.01,3.02,4.0,4.01,4.01 SP1,4.01 SP2,5
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: November 17, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.