Microsoft KB Archive/200351

= INFO: URL Syntax for Authentication Without Dialog Prompt =

PSS ID Number: 200351

Article Last Modified on 5/17/2002

-

The information in this article applies to:


 * Microsoft Internet Explorer (Programming) 3.0
 * Microsoft Internet Explorer (Programming) 3.01
 * Microsoft Internet Explorer (Programming) 3.02
 * Microsoft Internet Explorer (Programming) 4.0
 * Microsoft Internet Explorer (Programming) 4.01
 * Microsoft Internet Explorer (Programming) 4.01 SP1
 * Microsoft Internet Explorer (Programming) 4.01 SP2
 * Microsoft Internet Explorer (Programming) 5
 * Microsoft Windows Internet Services (WinInet)

-



This article was previously published under Q200351



SUMMARY
Internet Explorer versions 3.0 and higher support the URL syntax:

http://username:password@server/resource.ext

When navigating to this URL, Internet Explorer automatically uses the username and password specified to authenticate with the remote server. No dialogs are shown unless the username or password are deemed invalid by the server.



MORE INFORMATION
Even though this syntax is actually part of the URL specification for the FTP protocol (not HTTP), it was common practice to support the syntax for HTTP requests with browsers even before the release of Internet Explorer 3.0.

The Win32 Internet API (WinInet) function InternetOpenUrl also accepts HTTP URLs of this form. However, the other WinInet APIs, such as HttpOpenRequest, require that the program parse the URL and make the calls necessary for authentication. For more information, please refer to the "HTTP Authentication" (HTTPAUTH) sample on the MSDN Online Workshop at:

http://msdn.microsoft.com/downloads/samples/internet/networking/httpauth/default.asp

NOTE: Please be aware that the use of this URL syntax has potential security implications, as it exposes the user's name and password in plain text within the URL for the displayed page.

An example of the security danger is that in a cross-frame or hidden-frame scenario, script in pages from visited Web sites can easily access the URL, parse it, and determine the username and password for other sites.

NOTE: The following IE 3.02 security patches are known to break this syntax.
 * Page Redirect Patch - November, 1997
 * Year 2000 Update - May, 1998

If use of this syntax is required in addition to the fixes listed above, then the only currently supported resolution is to upgrade to Internet Explorer 4 or 5.

