Online Authentication IE disallows user and password

[erik_holler]

I am attempting to use online user authentication but file download does not support using users and passwords due to leveraging of IE download engine.

IE will not allow https://username:password@example.com/mysite/auth.txt

My question is how can I do online authentication with out being able to pass a user and password? Or am I missing something?

[FrancescoT]

Dear Erik,

Unfortunately, it is disabled by default with IE due security reason.

Please refer at the following Microsoft support KB. I suppose that can be enabled again.
http://support.microsoft.com/kb/834489/en-us

Hope this helps you.

Regards

[erik_holler]

Unfortunately I already knew that and have seen that KB case. I knew it was disabled for IE which is what the File Download leverages.

So how can any authentication be done under the current File download plugin.

How I understand it without this feature any online authentication would be completely insecure and easy to circumvent.

The example for doing online authentication will not work unless there is something I am not understanding.

Please advise.
Thanks

[erik_holler]

I found an easy way to re enable the ability in IE but I still get a 401 error when I attempt to authenticate.

Is there a problem with the @ symbol and the File Download plugin?

My download URL for the File Download plugin would be as follows https://$USER$:$PASSWORD$@$MYSERVERURL$ ... c/auth.txt

[FrancescoT]

Dear Erik,

which way have you used? I would like to replicate it.

For what I know the "@ symbol" should be passed as it is.

Regards

[erik_holler]

I am using the download file option.

I am attempting to authenticate against a apache web server using basic authentication.

I can see the my application hitting the web server but it gets a 401 error.

If I a pass my same url in to a browser it works just fine. I had to add the self signed cert in to my trusted root store for IE before it would even hit my access logs on the web server.

I am using Windows 7 64 bit pro. Also tried it on Windows 7 enterprise 32 bit.

Let me know if you need any more information.

[FrancescoT]

Dear Erik,

for what I know file download uses IE settings and engine, so that's the reason why the IE restrictions causes the issue.

... mmm.... not very easy ... let me see if exist a possible alternative ... I suspect that having that IE restrictions will be very difficult.

Regards

[erik_holler]

Actually there is a way to disable the restrictions in IE by simply adding 2 registry keys and restarting IE.

I have tried this and I can access the webpage via IE with no issues. But it does not fix the problem.

Originally I figured it was the issue with IE restrictions as well. If I have the keys in the registry to allow passing the user and password I see my setup hitting the webserver and taking a 401 error. If I remove the keys and restart IE I still get the same 401 error.

The download file plugin may be using the IE engine but it does not act the same way IE does.

[FrancescoT]

Dear Erik,

Let me do some test and i will tell you.

Regards

[erik_holler]

Any update on this issue. Or any work around that will resolve the problem of online authentication?

[FrancescoT]

Dear Erik,

I am very sorry but I did not had sufficient time to complete any test.
Unfortunately I was unable to complete the realization of a online authenticated access to perform the necessary tests.

I hope to be able to do it in next few days.

Regards

[erik_holler]

Still no word on this issue.

Does anyone have information as to how to implement Online Authentication against a password protected website?

[FrancescoT]

Dear Erik,

I have personally worked on this, spending some time to see how this can be achieved.
I faced the same issue because it was my intention to do the same for a personal project, but actually I have decided to move in a different way.

The main problem is that passing credentials with URL is not safe at all and then, as you already know, this has been disabled by default with IE and other browsers due the same security reasons. Then also even if it works enabling again the IE restrictions (registry modifications), you must enable it in every customer PC that uses your software. I do not know if your customers will agree with this but I can assure that my users will not at all.

In fact, If you do a quick search with google about the argument, it is widely not recommended.

Probably, honestly I have not tested it, it is possible to use different approaches to do it as placing credentials using query strings.
But even passing user credentials in encrypted form, the protection can be easily circumvented.
There are numerous ways available to monitor or capture data.

For myself and with the above considerations, I decided to move to a total different approach.
Probably it is not totally safe (everythings can be cracked) but of course it is more secure.

I have crypted my downloadable files and used a personal user certificate to decrypt it.
So my files can be downloaded using URL without using credentials ... but the user must have my software to use it.

Hope that this can help you.

[erik_holler]

I did some more work and research into this issue.

It appears to me the fact that the download plugin uses the IE capabilities has nothing to do with the problem.
How Microsoft blocks the use of a user and password in a URL is completely different then how the plug in fails.

From my investigation the plug in does indeed attempt to send to the URL. The problem is the PlugIn does not know how to encode the user and password in to base64.
Which is required when doing a get request using basic authentication.

I am still researching other work around's but none of them seem to suit my needs.

Thanks
Erik

[erik_holler]

Does anyone know how to build a plugin using Wget?

That would be a fantastic plugin considering the capabilities wget would bring to the table. It would completley remove the limitations of using the current file download plugin.

Plus it is opensource. I think with a little work a very secure plugin could be created.

Currently I can drop wget use it and then delete it as soon as it has completed downloading the files. But it would be nice to have native support with in InstallAware.

Thanks
Erik