Microsoft disables user:pass@server causing Invalid Syntax Error

hostultra · Feb 9, 2004

Just a notice to everyone
Microsoft seems to have disabled the http://user:password@server.com/ thing in the latest patch for internet explorer.

So if your login forms send your customers to an url like that they will get a invalid syntax error!

It took me ages to track this problem down.
Many customers were complaining to me about getting this error and could find no problem.
Today I updated my own PC with windows update, downloaded the IE service pack patch and i noticed it.

hostultra · Feb 9, 2004

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B834489

I know me, and alot of other hosts i have seen have a login box on their website which forwards to http://user:pass@server.com:2082/ so this maybe of help to those confused of the problem.

Infopro · Feb 9, 2004

You can shut this off by adding a registry entry.

To disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0:

For all users:
HKEY_LOCAL_MACHINE\Software\Microso
ft\Internet Explorer\Main\FeatureControl\FEATUR
E_HTTP_USERNAME_PASSWORD_DISABLE

For the current user only:
HKEY_CURRENT_USER\Software\Microsof
t\Internet Explorer\Main\FeatureControl\FEATUR
E_HTTP_USERNAME_PASSWORD_DISABLE
Click to expand...

Infopro · Feb 9, 2004

LOL, I posted 3 minutes too slow...

hostultra · Feb 9, 2004

Having customers edit a registry entry to login is not a good solution.

Is there any other way to redirect the browser into cpanel without asking for user/pass other then this method which doesnt work by default anymore.

Infopro · Feb 9, 2004

Originally posted by hostultra
Having customers edit a registry entry to login is not a good solution.

Is there any other way to redirect the browser into cpanel without asking for user/pass other then this method which doesnt work by default anymore.
Click to expand...

Well its a security measure that I don't think the average user should skirt around. But if you wanted to help out your users I guess you could whip up a few registry patches and offer them to your clients. Of course you'll need to make one for each version of windows.

I don't see a way to "re direct" anyone as there's no page there to add a redirect to.

hostultra · Feb 9, 2004

No i dont think you understand.
I dont want my users to have to download a registry patch.
I want it to work by itself, the way it did before microsoft screwed with it.

Is there another way to send in the username/password, like a javascript or URL trick other then http://user:pass@

Infopro · Feb 9, 2004

I understood you the first time. The answer is no.
Tell them to use https and type in the password every time. We are talking security here. There is no easy way around being safe. (other than editing the registry)

hostultra · Feb 9, 2004

I have multiple servers with a login on my site.
The login form redirects them to their cpanel for the appropriate server, without using user:pass@server it means the user will have to enter their username and password twice.
Once to find which server he is on, and another to login to the cpanel.

I cant belive microsoft would remove such a useful function just because a few people abused it for spoof sites.
At least a warning message would be better then disabling it completely.

Infopro · Feb 9, 2004

Your password should never be in plain view of anyone. This is a given.
Before, when you could login this way, your username and password were viewable on the bottom of your browser. So it's more than just some spoofed URLs.

Just change the login to a URL to get to the https URL and they can click that and login, it's not that tough..

hostultra · Feb 9, 2004

I created a work around :

<img border="0" width="0" height="0" src="http://user:pass@server.com:2082/frontend/x/branding/top_01-sm_bg.gif">
<script language="JavaScript">self.location.href='http://server.com:2082/';</script>

goodmove · Feb 12, 2004

Originally posted by Infopro
Your password should never be in plain view of anyone. This is a given. Before, when you could login this way, your username and password were viewable on the bottom of your browser. So it's more than just some spoofed URLs.

Just change the login to a URL to get to the https URL and they can click that and login, it's not that tough..
Click to expand...

Do you mean https://user-pass@ works with the IE update?

hostultra · Feb 12, 2004

Originally posted by goodmove
Do you mean https://user-pass@ works with the IE update?
Click to expand...

no it doesnt.

TogaDave · Feb 13, 2004

Just got my first customer support ticket about this this morning. Just what I wanted to do today, sit around explaining to users why they get a syntax error when they try to check webmail from within cpanel... the fun never ends LOL!

osfdeath · Feb 13, 2004

Originally posted by hostultra
I created a work around :

Code:

<img border="0" width="0" height="0" src="http://user:pass@server.com:2082/frontend/x/branding/top_01-sm_bg.gif"> <script language="JavaScript">self.location.href='http://server.com:2082/';</script> [/B]
Click to expand...
That does not work - login dialog box still appears

casey · Feb 23, 2004

It looks like Nick is working on it, too:

+-------------------------------------------------------------+
Sun Feb 22 15:59:28 EST 2004
8.9.0-EDGE_35
---------------------------------------------------------------
support http cookie logins
---------------------------------------------------------------
Click to expand...

Dr. Bogger · Feb 23, 2004

Originally posted by casey
It looks like Nick is working on it, too:
Click to expand...

Is this feature available yet? if so, how do you make it work? lol.

I dont know too much about cookies yet lol.

XPerties · Feb 25, 2004

For those who use https://root:PASSWORD@IP:2083 and have downloaded the latest IE fix from MS you will notice it no longer works. You get an syntax error. Here is the fix to remove the block.

Copy and paste this into a text file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"iexplore.exe"=dword:00000000
"explorer.exe"=dword:00000000
Click to expand...

save the text file as:

Enable username&password in IE.reg

then click on the file, and choose yes to import it into your registry. This will disable the MS update.

Infopro · Feb 25, 2004

I think I posted that in the beginning of this thread..

hostultra · Feb 25, 2004

Originally posted by osfdeath
That does not work - login dialog box still appears
Click to expand...

The login box will appear on those which have the microsoft patch, but will not appear if they do not have the patch.

it just avoids the horrible syntax error.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Microsoft disables user:pass@server causing Invalid Syntax Error

hostultra Well-Known Member

hostultra Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member

hostultra Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

hostultra Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

hostultra Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

hostultra Well-Known Member

goodmove Well-Known Member

hostultra Well-Known Member

TogaDave Well-Known Member

osfdeath Well-Known Member

casey Well-Known Member

Dr. Bogger Well-Known Member

XPerties Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

hostultra Well-Known Member

Setup DNS for Microsoft Active Directory

Cannot receive email from Microsoft mail server

Email marked as SPAM by Google and Microsoft

Microsoft hosted Exchange internal relay to cPanel pop (and dns) mail loop

DMARC, Microsoft and temperror

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Microsoft disables user:pass@server causing Invalid Syntax Error

hostultra Well-Known Member

hostultra Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

Infopro cPanel Sr. Product Evangelist Staff Member

hostultra Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

hostultra Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

hostultra Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

hostultra Well-Known Member

goodmove Well-Known Member

hostultra Well-Known Member

TogaDave Well-Known Member

osfdeath Well-Known Member

casey Well-Known Member

Dr. Bogger Well-Known Member

XPerties Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

hostultra Well-Known Member

Setup DNS for Microsoft Active Directory

Cannot receive email from Microsoft mail server

Email marked as SPAM by Google and Microsoft

Microsoft hosted Exchange internal relay to cPanel pop (and dns) mail loop

DMARC, Microsoft and temperror

Share This Page

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member