JMeter Basic Authentication

I’ve found through debugging requests coming in from JMeter that the HTTP Authorization Manager module doesn’t encode the username and password correctly. It puts a newline character after the username. To run a JMeter test against a Basic Auth protected endpoint, include the HTTP Header Manager and add the Basic Auth header yourself: Manually Encoding … Read more

Basic HTTP authentication with Node and Express 4

Simple Basic Auth with vanilla JavaScript (ES6) app.use((req, res, next) => { // ———————————————————————– // authentication middleware const auth = {login: ‘yourlogin’, password: ‘yourpassword’} // change this // parse login and password from headers const b64auth = (req.headers.authorization || ”).split(‘ ‘)[1] || ” const [login, password] = Buffer.from(b64auth, ‘base64’).toString().split(‘:’) // Verify login and password are … Read more

PHP_AUTH_USER not set?

There is a ‘sensible way’ to use HTTP Basic Auth in CGI-mode PHP: in the .htaccess use RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] and in the PHP use list($_SERVER[‘PHP_AUTH_USER’], $_SERVER[‘PHP_AUTH_PW’]) = explode(‘:’, base64_decode(substr($_SERVER[‘HTTP_AUTHORIZATION’], 6)));

CURL to access a page that requires a login from a different page

The web site likely uses cookies to store your session information. When you run curl –user user:pass https://xyz.example/a #works ok curl https://xyz.example/b #doesn’t work curl is run twice, in two separate sessions. Thus when the second command runs, the cookies set by the 1st command are not available; it’s just as if you logged in … Read more

How to set the authorization header using cURL

http://curl.se/docs/httpscripting.html See part 6. HTTP Authentication HTTP Authentication HTTP Authentication is the ability to tell the server your username and password so that it can verify that you’re allowed to do the request you’re doing. The Basic authentication used in HTTP (which is the type curl uses by default) is plain text based, which means … Read more

How can I suppress the browser’s authentication dialog?

I encountered the same issue here, and the backend engineer at my company implemented a behavior that is apparently considered a good practice : when a call to a URL returns a 401, if the client has set the header X-Requested-With: XMLHttpRequest, the server drops the www-authenticate header in its response. The side effect is … Read more

tech