← Back to team overview

dhis2-devs team mailing list archive

Re: ADD credentials in DHIS2 url

 

Hi Djibril,

just a note, GET requests / URLs are often cached by intermediary
caches/proxies/servers on the web (as per the HTTP spec) so if you do this
you should consider your credentials to be public knowledge.

regards,

Lars



On Fri, 8 Jun 2018 at 12:23, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:

> This is not really a dhis2 thing so much as a change in browser
> behaviour.  In times gone by when you presented a url like
> "https://admin:district@xxxxxxxxxxxxxx/dev/api/me"; the browser would
> take that url and create the basic authentication header that Jason
> refers to.
>
> After a couple of wobbles along the way since 2014, this is no longer
> the default behaviour on any of the major browsers.  Its really
> because URLs find themselves in history, bookmarks, log files etc.
> which are not appropriate places to be storing credentials.
>
> (sections 3.2.1 and 7.5 of https://www.ietf.org/rfc/rfc3986.txt)
>
> Chrome held out the longest, but is now also compliant with the new
> behaviour.
>
> On 8 June 2018 at 10:51, DJIBRIL Hakim <djib.hakim@xxxxxxxxx> wrote:
> > ok I see the point of view
> > thank you jason!
> >
> > 2018-06-08 9:35 GMT+00:00 Jason Pickering <jason.p.pickering@xxxxxxxxx>:
> >>
> >> Hi Hakim
> >>
> >> No, that is not possible and would not be a good idea since your
> >> credentials would be visible in the request itself.
> >> You will need to use a basic authentication header for this as described
> >> in the manual:
> >>
> >>
> https://docs.dhis2.org/master/en/developer/html/webapi_authentication.html
> >>
> >> Regards,
> >> Jason
> >>
> >>
> >> On Fri, Jun 8, 2018 at 11:19 AM DJIBRIL Hakim <djib.hakim@xxxxxxxxx>
> >> wrote:
> >>>
> >>> Hi All,
> >>> Please I would like to know if is it possible to add authentification
> >>> directly in URL
> >>> Example: username:password@[dhisUrl]/api/.....
> >>>
> >>> Best
> >>> _______________________________________________
> >>> Mailing list: https://launchpad.net/~dhis2-devs
> >>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> >>> Unsubscribe : https://launchpad.net/~dhis2-devs
> >>> More help   : https://help.launchpad.net/ListHelp
> >>
> >>
> >>
> >> --
> >> Jason P. Pickering
> >> email: jason.p.pickering@xxxxxxxxx
> >> tel:+46764147049
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~dhis2-devs
> > Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~dhis2-devs
> > More help   : https://help.launchpad.net/ListHelp
> >
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>


-- 
Lars Helge Øverland
Technical lead, DHIS 2
University of Oslo
lars@xxxxxxxxx
https://www.dhis2.org

References