Im currently connecting with a site which uses basic auth, and my url looks like http://username:password@mysite.com. It works, but everyone can see the password; Is there any method to hide it, by means of base64 or something similar?
Asked
Active
Viewed 2,198 times
1 Answers
1
This syntax is just a shortcut for the browser. Some browser will use this syntax to build the Authorization headers (some will not).
But. One thing is sure. You are giving the user+password to everyone. If your site use basic authentication, then you need to give the user and password information to your users, like in an email for example. Why would you add an authentication and then let everybody access the authenticated section?
HTTP Basic authentication is not very secure. But can be used to prevent indexation by bots, or with https. When you add this sort of (annoying) popup the users will have to enter the credentials, there is no other way. And the browser will record the credentials and add the same information (user+pass encoded in base64 -- which means is in clear text, no security--) for each page requested on your site until the browser is closed. So you do not need to add the credentials on the url, the browser will do it for you, after a first popup.
-
Thanks for your response, but I do need to add the credentials on the URL because it's an unattended connection (web kiosk, sort of) and I must avoid the popup – eltrasimaco Nov 04 '16 at 12:45
-
If you need to hide this authentification from the final user, it means you need to work in a BtoB mode, your application will proxy the distant website, and add the authorization. – regilero Nov 10 '16 at 10:18
-
sorry @regliero but I dont understand what you mean; i haven't got any application, my client is a raspberry with chromium and my server is something like isa server (windows). I jump into the url using a javascript location: line – eltrasimaco Nov 22 '16 at 08:28