Flicks FAQ: User Password In Url

Q. http://username:password@www.mydomain.com doesn't work anymore!

A. That's right. Around 2/2004 Microsoft issued a security update for IE which disallows this form of URL.

The most likely workaround is to convert to using forms-based/cookie login, and modify the easyloginnow.asp to accept the username/password from the source of your choice, rather than the usual login.htm page.

For example, instead of using
http://username:password@www.mydomain.com
use something like
http:/www.mydomain.com/firstfile.asp?u=username&p=password

then grab the u/p out of the url string, and use these to set the cookie for cookie-based login.

Be aware that this method of passing in a username and password is vulnerable to simple copy/paste attacks, whereby the URL can be posted on forums to effectively destroy your security.
Note that VideoQuota is soon to have "TimerTokens". (VideoQuota includes AuthentiX/WebQuota with enhanced functionality.)
Timertokens are generated on the fly, and contain the username and password encoded, along with the current time, encrypted. VideoQuota decodes and matches up the token, permitting access only if the token is freshly minted within the last few seconds. Good for links.
This premium feature is only available in VideoQuota, which costs more.

Back to the top of the FAQ

Prev Next