Can I make AJAX work with HTTP authorization?
December 18, 2006 6:33 PM Subscribe
Is it possible to make an AJAX request work with an HTTP authorization-protected server script?
I have a personal CGI script which is protected with a "require user" directive in the .htaccess file. I'm trying to add a little bit of AJAX to it, but it's not working. A look at the logs indicates that the requests from the XMLHttpRequest object are failing with a 401 ("Not authorized") error and aren't submitting a username.
Google searching wasn't very helpful; there are lots of sites about "http authorization" that also include the term "AJAX" but only as part of an ad or navigation feature. Is it possible to make AJAX requests send along the same authorization information as the browser, and if so, how?
I have a personal CGI script which is protected with a "require user" directive in the .htaccess file. I'm trying to add a little bit of AJAX to it, but it's not working. A look at the logs indicates that the requests from the XMLHttpRequest object are failing with a 401 ("Not authorized") error and aren't submitting a username.
Google searching wasn't very helpful; there are lots of sites about "http authorization" that also include the term "AJAX" but only as part of an ad or navigation feature. Is it possible to make AJAX requests send along the same authorization information as the browser, and if so, how?
If not, you'll want to set the appropriate header using
posted by Khalad at 6:45 PM on December 18, 2006
setRequestHeader()
. See Wikipedia: Basic authentication.posted by Khalad at 6:45 PM on December 18, 2006
Actually, it looks like the 4th and 5th parameter of the open() call take username and password values. Have you tried that?
posted by null terminated at 6:45 PM on December 18, 2006
posted by null terminated at 6:45 PM on December 18, 2006
Response by poster: As it turns out, I'm just an idiot. I had completely missed including the subdomain in the URL, and so the request was still hitting the same script, but for domain that I wasn't authorized for. I fixed that, and then it does pick up the authorization information from the browser. I appreciate the answers, though, especially since I hadn't considered looking for more params for open().
posted by Godbert at 6:55 PM on December 18, 2006
posted by Godbert at 6:55 PM on December 18, 2006
Just to follow up, the user:pass@server method is getting some criticism lately due to it being used in phishing attacks. Until it pays itself out I wouldn't recommend using it since it's a possibility some clients disable support for it in the future.
posted by sipher at 12:05 AM on December 19, 2006
posted by sipher at 12:05 AM on December 19, 2006
This thread is closed to new comments.
posted by null terminated at 6:37 PM on December 18, 2006