How to handle non-ascii characters in HTTP request header?

Question

In our application, we are sending passwords as part of the header for authentication to our auth service. However, we're running into a situation where users are using non-ascii characters as part of their password, and I found out that non-ascii characters are not supported in HTTP.

What are some approaches to handling this?

Answer 1

You need to encode it in an ASCII compatible format.

Base 64 is such an encoding.

Here is an exemple of how they did it for the HTTP Basic Authentication using Base 64 encoding.

The Authorization field is constructed as follows:

• The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.
• The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the charset parameter.
• The resulting string is encoded using a variant of Base64.
• The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string.

For example, if the browser uses Aladdin as the username and OpenSesame as the password, then the field's value is the base64-encoding of Aladdin:OpenSesame, or QWxhZGRpbjpPcGVuU2VzYW1l. Then the Authorization header will appear as:

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l 

So let's say your password is ǁǂǃDŽDždžLJLjljNJNjnjǍǎǏǐǑǒǓǔǕǖǗǘǙǚǛǜǝǞǟ, which cannot be represented using the ASCII charset.

Here is some pseudo code showing you how to do it

var password = 'ǁǂǃDŽDždžLJLjljNJNjnjǍǎǏǐǑǒǓǔǕǖǗǘǙǚǛǜǝǞǟ'
var base64EncodedPassword = base64Encode(password)

var httpHeader = new HttpHeader('Password', base64EncodedPassword)

And it would results in the following header. Represented using only ASCII char

Password: x4HHgseDx4THhceGx4fHiMeJx4rHi8eMx43HjsePx5DHkceSx5PHlMeVx5bHl8eYx5nHmsebx5zHnceex58=