67

When using http basic authentication, the username can be passed in the URL, e.g.

http://david@foo.com/path/

But now suppose the username is an email address, e.g. david@company.com. Doing this is clearly ambiguous:

http://david@company.com@foo.com/path/

Is there a way to escape the @ character in the username? I tried standard URL encoding:

http://david%40company.com@foo.com/path/

But that didn't do it.

David Ebbo
  • 42,443
  • 8
  • 103
  • 117
  • You can't use @ in URLs. Or did I got you wrong? – Hnatt Jul 16 '11 at 15:53
  • 3
    I know I'm a little late to the party, but did you simply miss the password part? the standard syntax should be `http(s)://user:pass@host`. So in your case it should be `http(s)://david%40company.com:Y0ur%24up3r%243cur3P%40%24%24w0rd@foo.com`. – FatalMerlin Aug 09 '17 at 17:28
  • 1
    @FatalMerlin you can have both the flavor with just username, and with both username & password. Though that is I think orthogonal to the escaping issue. – David Ebbo Aug 09 '17 at 21:25

1 Answers1

91

According to RFC 3986, section 3.2.1, it needs to be percent encoded:

  userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )

So it looks like

http://david%40company.com@foo.com/path/

Is right. Where are you trying to read it? Maybe you need to manually decode the value?

sagi
  • 5,619
  • 1
  • 30
  • 31
  • I have my own server side code that processes the credentials. I need to debug it and see exactly what I receive when I escape this way. I'll follow up! – David Ebbo Jul 16 '11 at 16:27
  • 2
    Clients don't appear to do well with that syntax. e.g. IE9 blocks it before even sending any request, and gives the error "Windows cannot find 'http://david%40company.com@foo.com/path/'. Check the spelling and try again.". This leads me to believe that this syntax is not actually supported, despite what it may seem from the RFC. – David Ebbo Jul 17 '11 at 05:15
  • 1
    Interesting. We tried this exact syntax with a URL being fetched using Drupal's drupal_http_request, and it didn't let the user login. (We have since fixed the problem, but I came searching anyway out of academic interest.) – Hakanai Jan 23 '17 at 02:15