The poor victim would actually be connecting to e.g.
It didn’t take long for scammers to realise that they could create links like we were teaching users about checking for “ followed by the domain name of their bank… was undermined by this user interface choice. The technique fell out of favour as soon as it started being used for nefarious purposes. Encoding authentication into the URL provided an incredible shortcut at a time when Web round-trip times were much longer owing to higher latencies and no keep-alives.
BASIC AUTH. IN EVENTSCRIPTS PASSWORD
just the username) to be included in a link, with the user being prompted for the password on arrival at the destination. Some schemes (e.g., ftp) allow the specification of a user name.”īut once web browsers had hyperlinks with credentials embedded in them, which made for very convenient bookmarks, or partial credentials (e.g.
An example is given in the specification, and clarified with “An optional user name. Credentials in the URLĪ separate specification, not specific to the Web (but one of Tim Berners-Lee’s most important contributions to it), described the general structure of URLs as the time that specification was written, the Web didn’t have a mechanism for passing usernames and passwords: this general case was intended only to apply to protocols that did have these credentials. htaccess file to the relevant directory.htaccess files would later go on to serve many other purposes, but their original and perhaps best-known purpose – and the one that gives them their name – was access control.
BASIC AUTH. IN EVENTSCRIPTS SOFTWARE
Webserver software quickly added support for this new feature and as a result web authors who lacked the technical know-how (or permission from the server administrator) to implement more-sophisticated authentication systems could quickly implement HTTP Basic Authentication, often simply by adding a. For all its faults, HTTP Basic Authentication (and its near cousins) are certainly elegant. Initially, only “basic authentication” was available, which basically involved sending a username and password in-the-clear unless SSL ( HTTPS) was in use, but later, digest authentication and a host of others would appear. A simplified view of the form-and-cookie based authentication system used by virtually every website today, but which was too computationally-expensive for many sites in the 1990s.ġ996’s HTTP/1.0 specification tried to simplify things, though, with the introduction of the Then, the browser would send a fresh request, this time with an Authorization: header attached providing the required credentials. A resource on the Web was theoretically accessible to all of humankind: if you didn’t want it in the public eye, you didn’t put it on the Web! A reliable method wouldn’t become available until the concept of state was provided by Netscape’s invention of HTTP cookies in 1994, and even that wouldn’t see widespread for several years, not least because implementing a CGI (or similar) program to perform authentication was a complex and computationally-expensive option for all but the biggest websites. The early Web wasn’t built for authentication. Thanks to Ruth who asked the original question that inspired this post. Sometimes a web standard disappears quickly at the whim of some company, perhaps to a great deal of complaint (and at least one joke).īut sometimes, they disappear slowly, like this kind of web you’ve not seen a URL like that before, that’s fine, because the answer to the question “Can I still use HTTP Basic Auth in URLs?” is, I’m afraid: no, you probably can’t.īut by way of a history lesson, let’s go back and look at what these URLs were, why they died out, and how web browsers handle them today.
0 kommentar(er)
