Passing basic auth credentials when navigating in browser

Question

The situation is:

• User is on site http://foo.com/ in one browser tab
• This site needs to have a link/button that will open https://bar.com/ in a new tab
• https://bar.com/ uses basic auth, and foo.com wants to automatically pass those credentials, such that the user is not prompted by the browser.

The obvious answer here is to pass the creds in the URL, e.g. https://user:password@bar.com. Unfortunately, this good old syntax doesn't work in all browsers (doesn't work in the latest IE).

I'm looking for an alternative that would work across all major browsers. e.g. potentially something along these lines:

• The foo.com page builds the Authorization header (by base 64 encoding the creds, ...)
• Somehow inject those headers into the request that gets sent to https://bar.com/, such that the request gets authorized with no user prompting.

Answer 1

Even if you are able to achieve sending the credentials to the site on the first request, unless the browser knows the contents of the credentials, it will have to prompt the user again for these credentials if the user navigates to another page on that same (bar.com) site that is protected by basic authentication.

If you have control over the bar.com site, then you might consider an alternative authentication scheme that uses a token generated by foo.com, which bar.com then interprets and, if valid, initializes its session to look at a cookie instead of requiring basic authentication for future requests.

Take a look at this question and this one.