basic auth request
Jon Ribbens
jon+usenet at unequivocal.eu
Wed Aug 18 19:05:46 EDT 2021
On 2021-08-18, Robin Becker <robin at reportlab.com> wrote:
> On 17/08/2021 22:47, Jon Ribbens via Python-list wrote:
> .......
>> That's only true if you're not using HTTPS - and you should *never*
>> not be using HTTPS, and that goes double if forms are being filled
>> in and double again if passwords are being supplied.
>
> I think I agree with most of the replies; I understood from reading
> the rfc that the charset is utf8 (presumably without ':')
The username can't contain a ':'. It shouldn't matter in the password.
> and that basic auth is considered insecure. It is being used over
> https so should avoid the simplest net scanning.
It's not insecure over HTTPS. Bear in mind the Basic Auth RFC was
written when HTTP was the standard and HTTPS was unusual. The positions
are now effectively reversed.
> I googled a bunch of ways to do this, but many come down to 1) using
> the requests package or 2) setting up an opener. Both of these seem to
> be much more complex than is required to add the header.
>
> I thought there might be a shortcut or more elegant way to replace the
> old code, but it seems not
It's only a trivial str/bytes difference, it shouldn't be any big deal.
But using 'requests' instead is likely to simplify things and doesn't
tend to be an onerous dependency.
More information about the Python-list
mailing list