For as long as I can remember, I could paste a username/pass/URL path
into my browser address window, for a subscriber-based website, such
as http://usernameABC:passwordXYZ@members.siteofchoice.com - and it
would effectively turn a 3 or 4 step process into 1 step, if the data
was valid... for reasons that i cannot comprehend, this format just
quit working for me, without any s/w changes I am aware of making, and
now only yields: "The page cannot be displayed" each and every time
without exception. I have rebooted a dozen times, nothing seems to
make my WIN ME on my IE 6.0.28 on my DELL PC go back to the old
well-loved magical ways... surely there must be a setting or trick or
something to resume what once was automatic and painless and
troublefree?

---

Clarification of Question by doodkj-ga on 25 Mar 2004 00:35 PST

The above anomaly(?) occurs on MANY and ALL subscriber sites, ones
that i can SUCCESSFULLY visit by browsing to www.siteofchoice.com,
choose "members login", enter username and password and click enter,
and it will allow me in successfully. SO: Just wanted to make clear
that this is not just occurring for one problem website, where pass
may have expired or whatnot. It's happened now on at least 50 sites
with different formats and passes. ALL fail; previously, ALL suceeded,
or gave "password expired message or whatever", not the IE error i now
get without exception. MUST be a browser issue? .Thanks.

Hi doodkja-ga!

There is a solution for you, which I'll explain at the end of this
explanation of why you shouldn't actually implement it.

What has happened to stop the behaviour that you are used to is that
you have installed a critical security update for Internet Explorer,
issued by Microsoft, that deliberately disabled this activity for
security reasons. While it seems annoying to you now, it is a Good
Thing.

More details on what this security update did and why it was issued by
Microsoft can be found here:

Microsoft Security Bulletin MS04-004
http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx

The key line here is the following one, which can be found by
expanding the Frequently Asked Questions section:

"The following URL syntax is no longer supported in Internet Explorer
or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext"

What you are used to doing is certainly easy and effective, but it
also opens you up to some major security dangers.

As Microsoft explain in their knowledge base:

"A malicious user might use this URL syntax to create a hyperlink that
appears to open a legitimate Web site but actually opens a deceptive
(spoofed) Web site. For example, the following URL appears to open
http://www.wingtiptoys.com but actually opens http://example.com:
http://www.wingtiptoys.com@example.com"

Microsoft Knowledge Base
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

Some other browsers get round this potential abuse by warning you of
the danger as it is about to happen. Opera, for example, warns you
every time you attempt to go to a site that contains a username and
password, even from a clicked link, and gives you the option of
cancelling this action before it happens. Microsoft have now chosen to
disable the action entirely.

Often these links are used for humorous ends, and even Microsoft
knowledge base articles have been spoofed! More seriously though, they
can be used to obtain credit card information. Imagine if you clicked
a link to a site that looked just like Amazon or Wal*Mart but only
realised that it was a spoofed site after you'd entered your credit
card details. That's the biggest danger.

And so to the fix. While I would recommend that you merely change the
way you do things for the security reasons listed in the knowledge
base article, it does also list a way in which you can revert to your
original method of doing things.

Merely page down to the very bottom of the page and follow the
instructions listed under the heading 'How to disable the new default
behavior for handling user information in HTTP or HTTPS URLs'.

I hope this answer satifies your requirements, but please feel free to
request clarification if it does not and I'll do my best to help
further.

Thank you for using Google Answers and I hope you return to us again soon.

poe-ga
Google Answers Researcher

Thank you for your tip!