IE security patch disables passwords in URLs

[Alexander Turcic]

Microsoft released a patch last week that disables support for handling user names and passwords in HTTP and HTTPS. Read further if you are interested in enabling this feature again.

The problem occurs when programmers design a Web site to enable a Web user to log in by typing credentials into the URL. In such cases, the Web address might look like this:

http://username:password@www.somecompany.com/index.html.

The link gives the person access to a company's Web site when the authentication program verifies the username and password.

Because the username and password are part of the Web address and are not encrypted, embedding the credential in the URL is considered a security risk.

What Microsoft did is simply to disable the support for username:password@ urls. Cool, heh? All of a sudden, you come in one day, and things aren't working anymore, because Microsoft has determined that a way they are doing things is not secure.

So if you still want to be able to use this feature, download and execute the attached registry-file (remove the .txt extension first).

Code:

REGEDIT4
; Enable handling user information in HTTP and in HTTPS URLs
; More info here: http://support.microsoft.com/default...b;en-us;834489
; Feb 8, 2004. Turcic.com
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"iexplore.exe"=dword:00000000
"explorer.exe"=dword:00000000