Supplying logon credentials within a URL

This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Alex e-mailed me earlier and told me that the RSS feed on my family blog was broken. Actually, I’d password protected the site, and forgotten to update the details in Feedburner (which translates Blogger’s Atom output to RSS for me). I couldn’t find any fields in the feed service settings to supply username and password credentials until an unusually helpful error message suggested that I should enter the URL as http://username:password@domainname/document.extension.

I knew that particular syntax worked for FTP, but not for HTTP too! Of course, if I was really that bothered about security I should secure the site using HTTPS, but in this case, the username and password is only a deterrent and there’s not really anything there that needs SSL security.

5 thoughts on “Supplying logon credentials within a URL

  1. For some reason, Firefox for Macintosh and Safari don’t appear to allow users to log in that way. Not that you care, with your Microsoft-sponsored blog :)

  2. If only my blog was sponsored by Microsoft! Unfortunately it is isn’t, but I checked out RFC 2396 which defines the generic syntax for URIs (specifically section 3.2.2) and it seems that the Mozilla-based browsers you are having issues with are not RFC compliant ;-)

    There’s also some interesting reading in the how to obscure any URL page at the PC Help website.

  3. You may like to look back at Microsoft technet articles – they stated that they would remove the ability to supply auth credentials on the URL in MSIE.

    So not sponsored by M$.

  4. According to Microsoft knowledge base article 834489, a security update is available that modifies the default behaviour of Internet Explorer for handling user information in HTTP and in HTTPS URLs; however, this URL format still works for FTP. In fact, my post about how Internet Explorer displays credentials in the status bar when used as an FTP client shows just how badly it works in FTP!

    On a related note, readers of this post might also be interested in my recent comments about web standards.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.