in reply to Re (tilly) 1: Put name and password in URLs
in thread Put name and password in URLs

I realize this thread is over two years old, but it caught my attention because I have been looking into deobfuscation of evil URLs, and I believe this is not a good idea, particularly in a HTTP URL.

This field (called "userinfo") is defined in the general URI format in RFC 2396, but it is not used in the HTTP URL fomat described in RFC 2616. Nonetheless, most browsers will transmit this field unchanged, and most web servers will ignore it, but supply it to a CGI program as part of the "environment" data. Its chief application is intentionally obscuring the identity of the URL. It is used mainly by fraudsters and spammers for that purpose.

In addition, here is a quote from RFC 2396:

"It is clearly unwise to use a URL that contains a password which is intended to be secret. In particular, the use of a password within the 'userinfo' component of a URL is strongly disrecommended except in those rare cases where the 'password' parameter is intended to be public."

  • Comment on Re: Re (tilly) 1: Put name and password in URLs

Replies are listed 'Best First'.
Re: Re: Re (tilly) 1: Put name and password in URLs
by tilly (Archbishop) on Nov 10, 2003 at 15:32 UTC
    While I grant you that this can be used by fraudsters for social engineering purposes, it has many more legitimate uses. The most common one that I have had is to simplify automation of fetching web pages for batch jobs. You don't have to rewrite a script that used LWP::Simple or that passes stuff to lwp-request, you just add stuff to the URL.

    While I can't say for sure what people around here have used it for, all of the comments that I have received suggest that they used it for exactly what I did.

[reply]

In Section Cool Uses for Perl