没有浏览器在头中发送授权信息 [英] No browser is sending Authorization info in header
问题描述
我正在查看此, 这个,它会看起来很容易在URL中发送凭证。例如:
http:// gooduser:secretpassword@www.example.com/webcallback?foo = bar
这一切都很好,但不起作用。我已经开启了小提琴手,并且Chrome并没有发送 Authorization
标头。它似乎表现出对其他浏览器相同的行为(我在服务器上有一个断点,并且Firefox,Safari或IE没有Authorize标头)
使其更好?
如果浏览器收到来自服务器的 401
质询响应,通常只会发送基本身份验证(关于基本身份验证协议的更多信息)。如果有问题的端点接受了已验证和未验证的用户,那么基于浏览器的请求可能永远不会被提示输入验证参数。
最简单的测试方法这种类型的设置是发送一个curl请求(它将发送身份验证参数,无论)到您的服务器端点,并验证授权
标头的收据:
curl'http:// gooduser:secretpassword@www.example.com/webcallback?foo = bar'
I'm looking at this and this and it would appear 'easy' to send the credentials in the URL. For example:
http://gooduser:secretpassword@www.example.com/webcallback?foo=bar
This is all well and good but it doesnt work. I've turned fiddler on and for Chrome the Authorization
header isnt sent. It appears to exhibit the same behaviour for other browsers (i've got a breakpoint on the server and no Authorize header turns up for Firefox,Safari or IE either)
How to make it better?
Stumbled across this while researching various basic auth implementations.
Browsers generally only send basic auth if they receive a 401
challenge response from the server (more on basic auth protocol). If the endpoint in question accepts both authenticated and non-authenticated users, then a browser-based request will likely never be prompted for the auth parameters.
The easiest way to test this type of setup is to send a curl request (which sends the authentication parameters regardless) to your server endpoint and validate receipt of the authorization
header:
curl 'http://gooduser:secretpassword@www.example.com/webcallback?foo=bar'
这篇关于没有浏览器在头中发送授权信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!