Specifying username/password in a URL

Specifying username/password in a URL

Specifying username/password in a URLIt is possible to specify a username (and password!) in a URL. For instance, when you specify an ftp: URL, your browser automatically logs in as user "anonymous" to the ftp server being connected to. You can specify a different username to use with the following syntax: ftp://username@hostname/
Assuming a password is required, your browser will then prompt you for one.
It is even possible, but inadvisable, to put a password in a URL: ftp://username:password@hostname/
This is unadvisable for several reasons. The URL being opened may be determinable by other users on the same machine on which you are browsing (as from a command line). The URL retrieved from the remote machine may be logged in some non-secure place on the remote machine. Your browser history would then also contain a copy of your password.
Microsoft is disabling support in Internet Explorer for this kind of information inclusion in HTTP and HTTPS protocol URLs.
This page last updated January 28, 2004.