469,304 Members | 2,192 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,304 developers. It's quick & easy.

Header redirection problem with IE

Ian
Can anyone help with a problem I am having regarding redirection.

I'm using the following php call to redirect users to a site and
automatically enter the required login name and pass for the target
site:

header("Location: $link");
exit();

where $link is something like:
"http://name:pa**@web.address.com"

The function works perfectly when I use Firefox but fails when I use IE.
If I just paste the target website address into IE the link works so the
problem seems only to occur when I'm redirecting to an http address that
has the name and password embedded and I'm using IE.

Can anyone help solve the problem? (p.s. I dont't want to use
javascript)

Thanks in advance.
Jul 23 '05 #1
5 3583
Ian <ia*@nospam.com> wrote:
Can anyone help with a problem I am having regarding redirection.
It isn't really an HTML matter.
"http://name:pa**@web.address.com"

The function works perfectly when I use Firefox but fails when I use IE.
Define "perfectly". The URL does not comply with URL specifications, which
disallow username:password part in http: URLs. Such a part was
traditionally supported by browsers, however, until IE was fixed (about a
year ago I think, though people are known to run unfixed IEs of course, and
do other silly things). So in a sense, we have a rare case: IE has stricter
security settings (by default, in new versions) than Firefox.
If I just paste the target website address into IE the link works so the
problem seems only to occur when I'm redirecting to an http address that
has the name and password embedded and I'm using IE.


There might be limitations in this security feature in your browser.
Actually it is quite possible that you are using an _old_ unfixed version
of IE, since on my IE,
http://name:pa**@www.address.com/
results in an error message about incorrect syntax, while
http://www.address.com/
works. (Actually it seems that the page is not password protected at all.
Are you sure you didn't mistype something at some point.)

Anyway, URL specifications have _strongly_ warned against including
passwords into URLs for years. The security reasons for this should be
obvious, given the fact that URLs get stored at different places in many
ways.

--
Yucca, http://www.cs.tut.fi/~jkorpela/
Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html

Jul 23 '05 #2
Ian <ia*@nospam.com> wrote:
where $link is something like:
"http://name:pa**@web.address.com"

The function works perfectly when I use Firefox but fails when I use IE.
If I just paste the target website address into IE the link works so the
problem seems only to occur when I'm redirecting to an http address that
has the name and password embedded and I'm using IE.


For "security" reasons Microsoft has "fixed" IE so that
username:password@ no longer works.
cheers,
Steve

Jul 23 '05 #3
Jukka K. Korpela wrote:
The URL does not comply with URL specifications, which
disallow username:password part in http: URLs.


I was really surprised reading this. What did you mean exactly by
"disallow" ? The username:password@... URL type is defined in RFC2396
chap. 3.2.2, although indeed their use isn't recommended.
If I just paste the target website address into IE the link works so the
problem seems only to occur when I'm redirecting to an http address that
has the name and password embedded and I'm using IE.


There might be limitations in this security feature in your browser.


Indeed Microsoft added a patch tha change the default behavior for these
types of URLs. See Q834489 :
http://support.microsoft.com/?id=834489
Jul 23 '05 #4
On Fri, 14 Jan 2005, Pierre Goiffon wrote:
I was really surprised reading this. What did you mean exactly by
"disallow" ? The username:password@... URL type is defined in
RFC2396 chap. 3.2.2,


As a generic URI syntax, yes. That's an over-arching definition for
all kinds of URI: you also have to look at the definition of your
specific URI scheme (ftp:, http:, news: ... whatever) to find out
which of those generic components is used, and what additional
restrictions apply to that particular scheme.

As it says in the generic RFC:

Some URL schemes use the format "user:password" in the userinfo
^^^^
field.

The use of the user:pass component in an http: URL is explicitly
disallowed in the specific definition of the http: URL format. And
that's the point here.
Jul 23 '05 #5
Alan J. Flavell wrote:
As it says in the generic RFC:

Some URL schemes use the format "user:password" in the userinfo
^^^^
field.

The use of the user:pass component in an http: URL is explicitly
disallowed in the specific definition of the http: URL format. And
that's the point here.


Thanks to pointed that out, I missed that one.
Jul 23 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Nick Whitelegg | last post: by
18 posts views Thread by Philipp Lenssen | last post: by
7 posts views Thread by Bernd Liebermann | last post: by
1 post views Thread by chandra.somesh | last post: by
reply views Thread by comp.lang.php | last post: by
5 posts views Thread by One | last post: by
4 posts views Thread by Call Me Tom | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by harlem98 | last post: by
1 post views Thread by Geralt96 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.