Pass Question Mark (?) in Password for HTTP Basic Authentication in URL

.htaccessencodingseleniumurl

I am automating a website which requires HTTP Basic Authentication.

The suggestions given in this link work like a charm in most cases:

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

However, some of the users have a Question Mark (?) in password.
Please advise on how to escape the question mark.

P.S.
I am aware that @ in the username can be escaped as %40.

Best Answer

I assume you must be referring to the userinfo part of the URL in which the user credentials are passed, not "URL parameters" (which are part of the query-string):

https://<userinfo>@example.com/foo?<query-string>

As with any character that is not permitted in any one part of the URL (because it may have special meaning), it must be URL-encoded (percent-encoded) as % followed by the two digit hex code for that character.

So, @ is %40 and ? is %3F.

But those aren't the only two characters that may need URL encoding. You should be passing the value through a URL-encode function in your script to correctly URL encode that part of the URL.

RFC 3986 defines what characters are permitted (unencoded) in the userinfo part of the URL:

userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded = "%" HEXDIG HEXDIG
sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"

              / "*" / "+" / "," / ";" / "="

So, everything else must be percent-encoded, including : and % - if they are part of the user or password parts (in order to negate there special meaning).

Also stated in the same document:

Use of the format "user:password" in the userinfo field is deprecated.

Consequently browser support has been patchy, coming and going over the versions (security a primary concern). I believe the latest versions of Chrome (tested v79) and Firefox do support user credentials in the URL. I've seen comments that this also works in the latest Safari(?), although this hasn't worked for a long time and it doesn't currently work for me (although I'm not running the latest on iOS 12.4.1). And IE dropped support for usernames and passwords in the URL some years ago and it doesn't look like it's coming back.

Related Solutions

Basic Authentication with htaccess but without password file

You can absolutely use .htaccess to restrict access, but I don't know of any way to avoid creating an equivalent .htpasswd file if you want to control access via users and passwords, rather than whitelisted IP addresses or similar.

Now, you can create any number of .htpasswd files; so if you wanted a specific one for a specific directory, that would be easy to set up by creating the .htpasswd file using:

htpasswd /usr/local/etc/apache/.your_htpasswd_filename_here username_here

then specifying it using the "AuthUserFile" directive in your .htaccess file.

Simplest way to redirect from a page on one domain’s URL to another domain

If you have control of the DNS settings for your domain, you should be able to add a CNAME of "mail" directed towards "ghs.google.com", that way you'll only need to give your kids the address of: "mail.yourdomain.com", which automatically directs to "mail.google.com/a/yourdomain.com". I suggest you force https use on your domain (done at the admin control panel of Google Apps) for extra security.

I'd suggest not using an 'auto-populate' approach for your kids' usernames. It's always best not to peal any layer of security if it's not truly needed. Plus, you'd be surprised how much (and how fast) they can learn system procedures!.

Best Answer

Related Solutions

Basic Authentication with htaccess but without password file

Simplest way to redirect from a page on one domain’s URL to another domain

Related Topic