No browser is sending Authorization info in header

Question

I'm looking at this and this and it would appear 'easy' to send the credentials in the URL. For example:

http://gooduser:secretpassword@www.example.com/webcallback?foo=bar

This is all well and good but it doesnt work. I've turned fiddler on and for Chrome the Authorization header isnt sent. It appears to exhibit the same behaviour for other browsers (i've got a breakpoint on the server and no Authorize header turns up for Firefox,Safari or IE either)

How to make it better?

Hi, I just ran into the same question. Have you found a solution yet? — mreithub, Feb 14 '13 at 14:28
I was surprised that I see the Authorization header sent for a Basic autorization in chrome. Others still fail — spankmaster79, Feb 18 '13 at 16:40

score 2 · Answer 1 · answered May 11 '13 at 20:53

Stumbled across this while researching various basic auth implementations.

Browsers generally only send basic auth if they receive a 401 challenge response from the server (more on basic auth protocol). If the endpoint in question accepts both authenticated and non-authenticated users, then a browser-based request will likely never be prompted for the auth parameters.

The easiest way to test this type of setup is to send a curl request (which sends the authentication parameters regardless) to your server endpoint and validate receipt of the authorization header:

curl 'http://gooduser:secretpassword@www.example.com/webcallback?foo=bar'

score 0 · Answer 2 · answered Aug 01 '13 at 00:33

OK so after much searching and experimenting the approach

http://gooduser:secretpassword@www.example.com/webcallback?foo=bar

does work. However one needs to be careful to ensure that the secret password DOES NOT contain any special characters. Use a password containing only letters and numbers and a hypen(if you must) and it should work.

No browser is sending Authorization info in header

2 Answers2

Linked