Hacker Newsnew | comments | show | ask | jobs | submit login

No. The UA strips those and puts them in an Auth header.



Depends on the UA (curl?)

-----


OK, so it'll either add an auth header or not know what to do and refuse to do anything. Either way the password is not sent in the request url

-----


Actually, I mused have screwed up last night. The version of curl I have does support it and does put it into the Auth header.

  % curl --trace-ascii /dev/stdout http://jimktrains:password@news.ycombinator.com
  == Info: About to connect() to news.ycombinator.com port 80 (#0)
  == Info:   Trying 184.172.10.74... == Info: connected
  == Info: Server auth using Basic with user 'jimktrains'
  => Send header, 223 bytes (0xdf)
  0000: GET / HTTP/1.1
  0010: Authorization: Basic amlta3RyYWluczpwYXNzd29yZA==
  .......
Some UAs however, do just drop it. Like IE (http://support.microsoft.com/kb/834489)

-----


Even curl does the right thing for basic auth

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: