The VideoLAN Forums

Posted: **26 Jul 2009 23:17**

Hi !

Right now, if we try to access a http ressource which require HTTP auth, the user is prompted for a login/password, that's realy a nice thing (not all players do that...).

The irritating thing is it's prompted each time a new ressource is accessed.

I use vlc to play remotly playlists over HTTP... and I'm prompted for credentials for each track of the list.

It would be great if VLC remember a login+password for a given host+realm (at least for the current vlc instance).

Anyway, thanks for that great piece of code !

Posted: **27 Jul 2009 13:21**

Wouldn't it be a security risk?

Posted: **27 Jul 2009 19:55**

Wouldn't it be a security risk?

Sure... but no more than any web browser that do exactly the same afaik.
A good compromise may be to keep the credentials only for a vlc session (in RAM only).

To explain better my motivation :
I use HTTP auth with a web-based jukebox (zina) that I want to keep private. HTTP auth is the only way to enforce that access restriction at player level... But right now when I play an album with VLC, I'm prompted for credentials at each track... quite irritating

.

Posted: **28 Jul 2009 12:38**

Another vote for this. It would be very handy. And no, it wouldn't be a security risk.

Posted: **06 Sep 2009 19:56**

We'd need this too for a VOD service.

Is anyone already working on it or should I brush up on my C?
From what I could see the http access module is recreated each stream. Is there a way to store session variables or should this be delegated to a new module ('http_credentials'?) that is alive for the whole VLC session?

Posted: **29 Nov 2010 22:50**

Bump. This is a feature that would be real easy to implement and would save me a lot of heartache! Something simple like:

Code: Select all


// .........................................................
// In the function that pops the http auth dialog box
String httpUsername = HttpCredential.getLastUsedUsername();
String httpPassword = HttpCredential.getLastUsedPassword();

if(httpUsername == null && httpPassword == null){
    // ... whatever you do now
}

// ...............................................
// in HttpCredential.cpp

class httpCredential{
   private static String username = null;
   private static String password = null;

   public static HttpCredential::getLastUsedName(){
      return this.username;
   }

   public static HttpCredential::getLastUsedPassword(){
      return this.password;
   }
}

Posted: **15 Dec 2010 22:47**

Was this ever implemented in a newer version? I can't seem to find a way to do this, and Googling the feature only comes to this page.

Posted: **16 Dec 2010 17:37**

This hasn't been implemented. Nor I have seen any development related to this.

Posted: **28 Dec 2010 17:19**

I also would like to see this implemented.

Posted: **18 Jan 2011 14:19**

Would be nice to have that possibility, streaming problems are most annoying in using VLC.

Posted: **08 Mar 2011 13:23**

+1 I would like this.

Is there any work around? If I stream music using VLC over http with http auth, it asks me for credentials every time a new song is played.

Posted: **13 Mar 2011 11:44**

Patches are welcome for this functionnality

Posted: **11 Apr 2012 23:07**

Here is a patch against the current (11.04.2012) master branch of the git repository, which does exactly that: it remembers the user and password that were used for the last successful authentication, and tries them first, before prompting for a new user and password.

The implementation is extremely naive: it doesn't check the host, or the http realm to see if the cached user/password are relevant at all, so you could be sending a user/password site cached form a previous request to a completely unrelated server. That could be improved of course by more intelligent cache management...

Cheers,
James

Code: Select all

index 9817bca..a8414b7 100644
--- a/modules/access/http.c
+++ b/modules/access/http.c
@@ -192,6 +192,13 @@ struct access_sys_t
     vlc_array_t * cookies;
 };
 
+
+char      *psz_cached_http_user = NULL;
+char      *psz_cached_http_password = NULL;
+
+
+
+
 /* */
 static int OpenWithCookies( vlc_object_t *p_this, const char *psz_access,
                             unsigned i_redirect, vlc_array_t *cookies );
@@ -534,6 +541,20 @@ connect:
             Disconnect( p_access );
             goto connect;
         }
+
+
+        if (psz_cached_http_user && psz_cached_http_password) {
+
+               p_sys->url.psz_username = strdup(psz_cached_http_user);
+               free(psz_cached_http_user);
+               psz_cached_http_user = NULL;
+               p_sys->url.psz_password = strdup(psz_cached_http_password);
+               free(psz_cached_http_password);
+               psz_cached_http_password = NULL;
+               Disconnect(p_access);
+               goto connect;
+        }
+
         msg_Dbg( p_access, "authentication failed for realm %s",
                  p_sys->auth.psz_realm );
         dialog_Login( p_access, &psz_login, &psz_password,
@@ -556,6 +577,18 @@ connect:
         }
     }
 
+
+    /* Succesful authentication => remember user/password if any */
+    if (p_sys->url.psz_username) {
+
+       psz_cached_http_user = strdup(p_sys->url.psz_username);
+    }
+
+    if (p_sys->url.psz_password) {
+
+       psz_cached_http_password = strdup(p_sys->url.psz_password);
+    }
+
     if( ( p_sys->i_code == 301 || p_sys->i_code == 302 ||
           p_sys->i_code == 303 || p_sys->i_code == 307 ) &&
         p_sys->psz_location && *p_sys->psz_location )

Posted: **13 Apr 2012 16:08**

Patches should be sent to vlc-devel

Posted: **18 Apr 2012 11:16**

Wouldn't it be a security risk?

why would it be ? could you explain why this might be a security

Posted: **18 Apr 2012 20:02**

http://www.itbusinessedge.com/cm/blogs/ ... /?cs=47183

Posted: **20 Dec 2012 00:45**

Resurrecting to +1... Yes, please! The patch submitted would be totally adequate for me.

Not a security risk at all, any more than a web browser remembering a password in RAM. That link relates to passwords stored on-disk, which is not being discussed here. If we want to split hairs, I'd say that entering the password over and over for each track in a playlist is more of a security risk than keeping it in RAM for the duration of the vlc executable.

-c

Posted: **27 Feb 2013 17:04**

I would very much like to see this! Maybe someone can rebase that patch from above to get it into current development tree...

edit: Could you take a look at this? https://github.com/Mettbrot/vlc/commit/ ... 832a319c0d
There are no active pull requests on the vlc repo so I wonder if this is appreciated?

Posted: **27 Feb 2013 23:38**

Send it to vlc-devel@videolan.org

Posted: **28 Feb 2013 10:46**

done.

Posted: **22 Aug 2016 11:46**

hello guys,
sorry for bringing back to live this thread,
unfortunately It hasn't been implemented on the latest version. (Or I didn't manage to find the option)
is any development ongoing for this? or at least some place to place a petition.

But this would really be a cool feature
I love VLC and I would hate having to find another option for listen to my streamin music at work

Regarding the security I think is what most browsers does. 1 keep for the active session, 2 save in some encrypted way if the users acknoledge does.

Anyway I have found a workarround.
My servers sends me a *.m3u file with the streaming url.
so my workarround is to edit the m3u file to include user and password. (hopefully they are not being send clear text over the network)
example:
#EXTM3U
#EXTINF:191,El Canto del Loco - Volver a disfrutar
https://myserver.com:443/ampache/play/i ... frutar.mp3
you can chage the line for:
https://user:password@myserver.com:443/ ... frutar.mp3

and it won't ask for the password any more. it's just a search and replace after downloading the playlist.

hope that helps.
Guybrush.

Posted: **25 Aug 2016 11:46**

VLC 3.0.0 remembers credentials.

Posted: **20 Jul 2020 20:22**

I have the current 3.0.11 and my vlc does not remember credentials using the Chrome "Open in VLC" plugin and http mp4 links., Must that be activated anywhere ?

Posted: **20 Jul 2020 20:25**

even on Open Networkstream , with a different Mp4 on the same server , on the same vlc instance an account hint is prompted. It seams to me that the http account is stored by fileURL key and not by serverName. (Only on the same fileName no Account hint is showen)

And next the chrome "Open in VLC" plugin opens everytime a new instance of VLC and therefore a usage of the InRAM instance stored HTTP account is not reachable for the new VLC instance , so the account hint wil be showen on every "Chrome, Open in VLC.." action..
It would be greate if the multiple VLC instances can hold only one static HTTP-Accound cache that survives VLC shutdowns. Another sollution can be that the Open in VLC Plugin passes http basic-auth infos to the VLC so that browser entered account will be used.

Currently I do not see a sollution for preventing account hints everytime on chrome Open in VLC actions..

Posted: **20 Jul 2020 20:55**

HTTP credentials should be per authority (server name and port) and realm. Not sure if VLC incorrectly varies them by the hier-part (path) as well.

The VideoLAN Forums

remember http credentials

remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials

Re: remember http credentials