How can I embed an user-id and password into a URL?

Question:

Malvaro

2008-07-08 12:18:38 UTC

My job requires me to log into a 3rd party password-authenticated website to view delivery statuses.

The 3rd party website URL I have to use is:
http://www.mynvc.com/ClientSite2/OrderDetails.aspx?OrderID=123456?

I've attempted the below links to no avail:

http://www.mynvc.com/ClientSite2/OrderDetails.aspx?OrderID=123456?username=Bob&password=Bob
http://Bob:Bob@www.mynvc.com/ClientSite2/OrderDetails.aspx?OrderID=123456

Any suggestions on how to embed a user ID and password into the URL, so I dont have to manually log in everytime I click on the link? Unfortunately, I cannot offer the user ID or password for one to test on...

My work internet browser is IE 6.0 running on XP.

Four answers:

Some Guy

2008-07-08 12:24:35 UTC

You generally do not.

If the login form has been made properly, POST is used instead of GET, because GET is... well... not secure *at all*.

There's a reason no website uses querystrings to allow for fast entry of user credentials.

icefyre

2008-07-08 12:29:07 UTC

Whether you can do that or not depends completely on whether the site is using GET or POST to pass its data from the login page to another page. If it's using get then you should be able to put the credentials directly into the URL (you can login under a dummy account to see the format) otherwise... you're out of luck. The way to tell if they are using Get or POST is to check out the url once you log in. If the url is long and convoluted with many variables and values, they are using GET. If it's not, then they are using POST.

I have no clue how to go about it if they are using POST.

If they are using GET just embed the credentials directly into the url

JohnW

2008-07-08 12:24:20 UTC

From the looks of the website, you're not going to be able to insert a username and password into that url. They use forms authentication which uses an HTTP Post in order to submit the authentication.

They have a 'remember me' checkbox. That should keep you logged into the site. But there's not going to be a way to insert that username and password in the url.

Trev

2008-07-08 12:58:18 UTC

Tried hacking it:

Got this back:

Invalid postback or callback argument. Event validation is enabled using in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.

It was always going to want a POST action anyway!

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese