send credentials with url, possible?

I got a web service that I protect with basic authentication and use ssl. to make it easy for the clients that are gone use this web service I want to skip the 401 and send the credentials with the url (I would like so the customer can access the web service with url from their code / web app), question is this possible?

I know about headers but a lot of the clients gone use this do not got the proper developing team to do code.开发者_Go百科

thanks

Well, you certainly could, but you really shouldn't. Sending information in plain text in the URL is bad, since that URL may get cached in several different places and generally unnecessarily exposes sensitive information. You could encrypt it before sending it, but that's probably more trouble than it's worth.

The accepted method for using a purely URL based authentication is a token of some sort. You'll need to go through a standard login procedure to generate the token though. Addendum: Also note that that's better than putting the plain text password in the URL, but still has it's share of problems. URLs are more widely logged, cached and bookmarked than other header information. At least you retain control of the token though and can expire it after some time, whereas a password in the URL can't simply be expired.

If you're developing an API, I think it's reasonable enough to require some authentication procedure. If your clients can't do it, offer a library or code snippets that'll help them.

I can't agree more with @deceze. Sending password in URL is bad and completely defeats the purpose of having SSL. On the other hand, if you use BASIC + SSL, your body is encrypted. This implies that the password that you POST (using a FORM -> UserName & Password field) can't be decrypted by anyone in between due to the SSL being in operation.

I also don't completely agree that URL based auth with some token will be good, mainly because however you encrypt it (or not!), the URL is anyways going through all the hops as a query string to everyone. Hence anyone who can read the URL and impersonate.

HTH, Rahul

WARNING: As others have mentioned, this is a VERY BAD IDEA!

However, in the interest of answering your original question, assuming you are using basic authentication, you can embed the username and password in the URL like so.

http://userid:password@www.anywhere.com/

This will make it much easier for your users to use the API, and for hackers to circumvent your security. You are only marginally better off than just turning off authentication altogether.

WARNING: As others have mentioned, this is a VERY BAD IDEA!