0

I'm developing some PHP pages that require HTTP Authentication. In some cases, displaying the logon prompt is fine, but in other cases (where I'm trying to provide access to an app on an ipad), it is not.

Can a user send their username and password in a request for a page somehow, in order to 'bypass' the logon prompt, and if so, how would this be accomplished?

I'll be using HTTPS.

JEJoll
  • 547
  • 1
  • 6
  • 20
  • The solution is much more simple than you think: actually you just have to send the credentials! The "login prompt" you refer to is the result the browsers shows if it gets a forbidden back to is denied access for a site protected by an http authentication strategy. All that differs the failed request from a successful one is that the credentials were sent. So you can actually do that imemdiately, _if_ you know the credentials without asking the user. – arkascha Apr 10 '16 at 14:04
  • How would these credentials be sent by the user? – JEJoll Apr 10 '16 at 14:08
  • Not by the user, by your application that does the request. If the user is to enter the credentials, then you need some means of input (so some authentication form / popup). – arkascha Apr 10 '16 at 14:15
  • Sorry, when I said user, I meant device/app. To clarify: How would the app send the credentials? – JEJoll Apr 10 '16 at 14:40
  • Well, in the code of your app you do the http request. Most likely you don't do that "by hand" but use a library for http requests. You should be able to add individual headers to the request, regardless of what type of request you do. The headers are defined in the http protocol definition. You also want to take a look into the apache documentation about http authentication schemes. – arkascha Apr 10 '16 at 17:36

2 Answers2

0

You can append the username and password to the start of the URL in the following form:

https://username:password@yoursite.com/
Chris
  • 5,571
  • 2
  • 20
  • 32
  • I've seen this kind of solution in other places, but along with those solutions, there has been some discussion that this has been disabled in many browsers. Is this something I need to be concerned with, or does the fact that I'm not even going to be using a browser in certain cases mean I don't need to be concerned? – JEJoll Apr 10 '16 at 14:10
0

You can use this code to bypass the login promt.

http://%@:%@@example.com/login.php",username,password]; https://%@:%@@example.com/login.php",username,password];

haroon jamil
  • 65
  • 4