I've set Force authentication to Never, because I don't want any of my users to ever see the password dialog.

However, I'd like to be able to log in using the http://userid:password@example.com/path syntax. This works if I force authentication, but it has no effect otherwise.

I understand this used to be the purpose of the HTTP Authentication module, which was merged into Secure Site, so I'm marking this as a bug rather than a feature request.

Am I missing something?

Comments

salvis’s picture

salvis
he/his
CreditAttribution: salvis commented

I'm seeing some weird behavior: I'm trying to use WinHTTrack to capture a static copy of my site. The site has a public part and some forums that are protected by node access.

WinHTTrack supports logging in using the http://userid:password@example.com/path syntax and it does capture the public part of the site as user userid! However, it receives 403 errors as soon as it tries to follow a link to a protected forum.

Apparently, WinHTTrack creates a new userid session for every request, because the Who's Online block shows a couple hundred of them after WinHTTrack has run, and the captured pages show the logged in state. (I haven't been able to create a userid session by typing http://userid:password@example.com/ syntax into Firefox myself though.) However, WinHTTrack fails to establish a userid session for protected paths!

I'm really puzzled why it works on the public paths but not on the protected ones.

BTW, I do have my own 403 page and would like to keep it.

Is there a way to programmatically test whether the user is supplying userid:password?

ekes’s picture

ekes CreditAttribution: ekes commented

"haven't been able to create a userid session by typing http://userid:password@example.com/ syntax into Firefox myself though." It seems that Firefox doesn't try http auth unless it's required. I can login with userid:password with Opera, but not Firefox (or Thunderbird) if it's not forced for example.