Usernames in the http_URL

John-Paul Bader hukl at berlin.ccc.de
Fri Dec 18 04:48:43 EST 2009


Hey guys,


I think the <resource_type>://<username>:<password>@<host>/<path> scheme is not "illegal". There are examples of this in the URL RFC, just no explicit HTTP example.

This probably a vague area. Its not in the http rfc and its not explicitly mentioned in the http auth rfc either but in combination with the URL RFC there is at least room for it. I haven't found the paragraph yet which says: no username:password stuff allowed in http urls. But I was just searching through these things … there are good chances I missed it.

http://en.wikipedia.org/wiki/URI_scheme
http://tools.ietf.org/html/rfc2617
http://www.ietf.org/rfc/rfc1738.txt

Anyway, I came across such urls a lot. Often I use them for giving people easy access to an otherwise basic authed resource - in  a chat conversation for example. I know apache and nginx support this - IIS does not. 

Hrm - tough call ;)

Kind regards, John


More information about the mongrel-unicorn mailing list