7

How can i show an image from a server with standard http protection without showing the authentication window?

I now use standard html 

<img src="...">

but because the image is protected this asks for an authentication window. I do have the login data, how can i show the image?

Regards, Tom.

user3053216
  • 777
  • 1
  • 9
  • 24
  • You should provide some code. – Jonast92 Jun 04 '14 at 16:44
  • 2
    Are you able to use PHP at all? If not, please ignore this comment. If so, I would suggest using a php script as a proxy and using cURL with basic auth ( http://stackoverflow.com/questions/2140419/how-do-i-make-a-request-using-http-basic-authentication-with-php-curl ) to read the image from the remote location. Then set the header-content type to whatever the image type is. For instance for JPEG: header('Content-Type: image/jpeg'); I use this mechanism often. – IrishGeek82 Jun 04 '14 at 16:52

2 Answers2

7

This should work. Simply replace the username and password with your authentication details. (Warning: Doesn't work in all browsers)

<img src="http://username:password@server/Path" />

I would recommend putting this in a separate file on your server. That way you can reference it without exposing the authentication info.

Brobin
  • 3,241
  • 2
  • 19
  • 35
7

I used IrishGeeks tip to get a solution. It works on all browsers. The script.php is

<?php
$url    = $_GET['url'];
$c = curl_init($url);
$authString = 'user:pass';
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
curl_setopt($c, CURLOPT_USERPWD, $authString);

$content = curl_exec($c);
$contentType = curl_getinfo($c, CURLINFO_CONTENT_TYPE);
header('Content-Type:'.$contentType);
print $content;
?>

Then use 

<?php
print '<img src="script.php?url='.urlencode('http://www.example.com/image.bmp').'" />';
?>

To get the image.

user3053216
  • 777
  • 1
  • 9
  • 24
  • 3
    I'm shocked that this code was the accepted answer to this question. While your script makes it possible to load images through htaccess-protected websites it leaves your website open to a bunch of attacks including XSS-Injections. You are using the Content Type from the given Website, and there isnt any check for malicious content or something. I wont mind how much websites are vulnarable bc they are copying this code here and doesnt mind about how its working. Please edit it and stop spreading insecure code. – J. Doe Nov 25 '20 at 10:37