Wednesday, March 29, 2017

authenticated URL spaces vs PRISM vs NSA

Escaping username characters in basic auth URLs



When using http basic authentication, the username can be passed in the URL, e.g.
http://david@foo.com/path/
But now suppose the username is an email address, e.g. david@company.com. Doing this is clearly ambiguous:
http://david@company.com@foo.com/path/
Is there a way to escape the @ character in the username? I tried standard URL encoding:
http://david%40company.com@foo.com/path/
But that didn't do it.
shareimprove this question
   
You can't use @ in URLs. Or did I got you wrong? – Hnatt Jul 16 '11 at 15:53
Não encontrou uma resposta? Pergunte em Stack Overflow em Português.
up vote42down voteaccepted
According to RFC 3986, section 3.2.1, it needs to be percent encoded:
  userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
So it looks like
http://david%40company.com@foo.com/path/
Is right. Where are you trying to read it? Maybe you need to manually decode the value?
shareimprove this answer
   
I have my own server side code that processes the credentials. I need to debug it and see exactly what I receive when I escape this way. I'll follow up! – David Ebbo Jul 16 '11 at 16:27
2 
Clients don't appear to do well with that syntax. e.g. IE9 blocks it before even sending any request, and gives the error "Windows cannot find 'david%40company.com@foo.com/path/';. Check the spelling and try again.". This leads me to believe that this syntax is not actually supported, despite what it may seem from the RFC. – David Ebbo Jul 17 '11 at 5:15 
   
Works fine using curl... – Matthew Gilliard Nov 25 '15 at 16:43
   
Interesting. We tried this exact syntax with a URL being fetched using Drupal's drupal_http_request, and it didn't let the user login. (We have since fixed the problem, but I came searching anyway out of academic interest.) – Trejkaz Jan 23 at 2:15 

No comments:

Man in the Rain