Escaping username characters in basic auth URLs

http basic-authentication
David Ebbo picture David Ebbo · Jul 16, 2011 · Viewed 39.1k times · Source

When using http basic authentication, the username can be passed in the URL, e.g.

http://[email protected]/path/

But now suppose the username is an email address, e.g. [email protected]. Doing this is clearly ambiguous:

http://[email protected]@foo.com/path/

Is there a way to escape the @ character in the username? I tried standard URL encoding:

http://david%[email protected]/path/

But that didn't do it.

Answer

sagi picture sagi · Jul 16, 2011

According to RFC 3986, section 3.2.1, it needs to be percent encoded:

  userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )

So it looks like

http://david%[email protected]/path/

Is right. Where are you trying to read it? Maybe you need to manually decode the value?

Related questions

How to define the basic HTTP authentication using cURL correctly?

I'm learning Apigility (Apigility docu -> REST Service Tutorial) and trying to send a POST request with basic authentication via cURL: $ curl -X POST -i -H "Content-Type: application/hal+json" -H "Authorization: Basic YXBpdXNlcjphcGlwd2Q=" http://apigilityhw.sandbox.loc/…

Read More
What is the "realm" in basic authentication

I'm setting up basic authentication on a php site and found this page on the php manual showing the set up. What does "realm" mean here in the header? header('WWW-Authenticate: Basic realm="My Realm"'); Is it the page …

Read More
How to log out user from web site using BASIC authentication?

Is it possible to log out user from a web site if he is using basic authentication? Killing session is not enough, since, once user is authenticated, each request contains login info, so user is automatically logged in next time …

Read More