RTC Forums

Subscription => Support => Topic started by: usernametaken on July 20, 2017, 09:12:27 AM



Title: Username and Password from URL
Post by: usernametaken on July 20, 2017, 09:12:27 AM
Is there any way in RTC to read the username and password on the server if it is passed in the URL?

http://username:password@myurl.com/
        =================
//         /\
//         ||
// I need this part

I googled around and it is supposed to be in the
request headers 'authorization' but I don't see it in the  is not in the request.HeaderText... I also don't see it in the Request Headers on the browser (chrome)  debug



Title: Re: Username and Password from URL
Post by: D.Tkalcec (RTC) on July 20, 2017, 01:11:43 PM
According to the info I've just found after a short Google search (see https://bugs.chromium.org/p/chromium/issues/detail?id=123150 and https://bugs.chromium.org/p/chromium/issues/detail?id=504300), Basic Authentication using URLs where the username and password are embedded in plain text with the format http://username:password@mydomain.com has been intentionally removed from Google Chrome 19 (apparently for security reasons and because "Internet Explorer" does NOT support this either, see https://support.microsoft.com/en-us/help/834489/internet-explorer-does-not-support-user-names-and-passwords-in-web-sit). I guess, that's why you can't find that info in the Chrome Browser when debugging and why it is NOT in the "Authorization" Request header, which you could normally access using the Sender.Request['Authorization'] property and by checking the Sender.Request.HeaderText property (where all Request Headers are included).

Best Regards,
Danijel Tkalcec


Title: Re: Username and Password from URL
Post by: usernametaken on July 20, 2017, 01:23:55 PM
Thanks for the quick response and feedback (as always).

It is unfortunate, because it is quite convenient sometimes for testing purposes.

However, even though chrome is not showing is in the debugger... it still sends it to the server... I am not sure how.
I have some applications running on glassfish that use this, and they are still working.
Also when I issue https://username:password@google.com/ I get a whole lot of security related messages back (in the debugger) from their server... That implies that the server is getting it.

Anyway... It is a nice to have, but not needed in the production environment for my project


Title: Re: Username and Password from URL
Post by: D.Tkalcec (RTC) on July 20, 2017, 01:36:59 PM
Anything a Web Browser sends to the RTC Server as part of a HTTP/S Request Header will be accesible through the Sender.Request object (Method, URI and HeaderText). If it is NOT there, then it was NOT sent by the Web Browser you are using. As for Chrome, since it is basically a "Google" Browser, I wouldn't be surprised if this mechanism was disabled for all domains, except for those owned by Google.

Best Regards,
Danijel Tkalcec