Username &amp; Password Security

Username & Password Security

anotherocd

can anyone that is familiar with HTTP authentication and the HTTP protocol tell me if embedding the username and password in the URL is safe (i.e. http://username:password@domain.com ) ????

Intuitivley, it seems wide open for anyone to view, but does the browser convert this data before it sends it or does the protocol have a mechanism for protecting this.

Does anyone know of any alternatives???

drawmack

This is highly insecure. As far as other means there are about 900 threads covering this on the boards use the damn search button.

anotherocd

Don't be a douche bag - don't you think that I would've searched the threads before asking the question.

Every thread that I have seen deals with host authentication - I am dealing with a script that acts as the client and is attempting to login in to a protected site automatically without using the username:password@domain.com method.

Maybe I haven't seen the right thread, but it isn't obvious - don't make message boards a regretful experience.

drawmack

you should have been more clear in your initial post.

anyway, yes there are lots of ways

text files
database
xml
cookies
session variables
etc, etc

nasty_psycho

look , never yse that type of auth because anybody on the same computer can know the password by just loking at the history, and generally it is sent unsecured etc. so NEVER USE IT!

you can ask them to loging but not to put their password into the URL, you can use the header function to force the users to login by something like this

header("auth blablala"); /// search for this because I'm not sure , goto w3c and see for headers

anotherocd

I was having a bad day yesterday sorry for my comments (drawmack).

I know there is a way to do it like nasty_psycho was suggesting (using headers) - I just don't know enough about the HTTP protocol to know what headers to send and what responses to expect - I have, however, been doing my homework and will figure out a solution soon. Thanks for the posts

PHPGuru2

Nothing is perfectly secure over the internet..... That's what I usually think lol. What matters is how you try to make things more secure. So embedding username/password in the URL is obviously not the way to do since people behind your desk can see and steal your username and password along with the domain.... Good luck bro.

drawmack

nothing is every absolutely secure. Just gotta try and make it computationally secure.

anotherocd

I figured out what I needed using headers - thanks for all the posts.