remember http credentials

[JocelynDelalande]

Hi !

Right now, if we try to access a http ressource which require HTTP auth, the user is prompted for a login/password, that's realy a nice thing (not all players do that...).

The irritating thing is it's prompted each time a new ressource is accessed.

I use vlc to play remotly playlists over HTTP... and I'm prompted for credentials for each track of the list.

It would be great if VLC remember a login+password for a given host+realm (at least for the current vlc instance).

Anyway, thanks for that great piece of code !

[VLC_help]

Wouldn't it be a security risk?

[JocelynDelalande]

Wouldn't it be a security risk?

Sure... but no more than any web browser that do exactly the same afaik.
A good compromise may be to keep the credentials only for a vlc session (in RAM only).

To explain better my motivation :
I use HTTP auth with a web-based jukebox (zina) that I want to keep private. HTTP auth is the only way to enforce that access restriction at player level... But right now when I play an album with VLC, I'm prompted for credentials at each track... quite irritating .

[spamathon]

Another vote for this. It would be very handy. And no, it wouldn't be a security risk.

[alt_nick]

We'd need this too for a VOD service.

Is anyone already working on it or should I brush up on my C?
From what I could see the http access module is recreated each stream. Is there a way to store session variables or should this be delegated to a new module ('http_credentials'?) that is alive for the whole VLC session?

[volatilebunny]

Bump. This is a feature that would be real easy to implement and would save me a lot of heartache! Something simple like:

Code: Select all

// ......................................................... // In the function that pops the http auth dialog box String httpUsername = HttpCredential.getLastUsedUsername(); String httpPassword = HttpCredential.getLastUsedPassword(); if(httpUsername == null && httpPassword == null){ // ... whatever you do now } // ............................................... // in HttpCredential.cpp class httpCredential{ private static String username = null; private static String password = null; public static HttpCredential::getLastUsedName(){ return this.username; } public static HttpCredential::getLastUsedPassword(){ return this.password; } }

[timtim885]

Was this ever implemented in a newer version? I can't seem to find a way to do this, and Googling the feature only comes to this page.

[VLC_help]

This hasn't been implemented. Nor I have seen any development related to this.

[panic]

I also would like to see this implemented.

[orinoco]

Would be nice to have that possibility, streaming problems are most annoying in using VLC.

[vaicine]

+1 I would like this.

Is there any work around? If I stream music using VLC over http with http auth, it asks me for credentials every time a new song is played.

[Jean-Baptiste Kempf]

Patches are welcome for this functionnality

[james.h.bates]

Here is a patch against the current (11.04.2012) master branch of the git repository, which does exactly that: it remembers the user and password that were used for the last successful authentication, and tries them first, before prompting for a new user and password.

The implementation is extremely naive: it doesn't check the host, or the http realm to see if the cached user/password are relevant at all, so you could be sending a user/password site cached form a previous request to a completely unrelated server. That could be improved of course by more intelligent cache management...

Cheers,
James

Code: Select all

index 9817bca..a8414b7 100644 --- a/modules/access/http.c +++ b/modules/access/http.c @@ -192,6 +192,13 @@ struct access_sys_t vlc_array_t * cookies; }; + +char *psz_cached_http_user = NULL; +char *psz_cached_http_password = NULL; + + + + /* */ static int OpenWithCookies( vlc_object_t *p_this, const char *psz_access, unsigned i_redirect, vlc_array_t *cookies ); @@ -534,6 +541,20 @@ connect: Disconnect( p_access ); goto connect; } + + + if (psz_cached_http_user && psz_cached_http_password) { + + p_sys->url.psz_username = strdup(psz_cached_http_user); + free(psz_cached_http_user); + psz_cached_http_user = NULL; + p_sys->url.psz_password = strdup(psz_cached_http_password); + free(psz_cached_http_password); + psz_cached_http_password = NULL; + Disconnect(p_access); + goto connect; + } + msg_Dbg( p_access, "authentication failed for realm %s", p_sys->auth.psz_realm ); dialog_Login( p_access, &psz_login, &psz_password, @@ -556,6 +577,18 @@ connect: } } + + /* Succesful authentication => remember user/password if any */ + if (p_sys->url.psz_username) { + + psz_cached_http_user = strdup(p_sys->url.psz_username); + } + + if (p_sys->url.psz_password) { + + psz_cached_http_password = strdup(p_sys->url.psz_password); + } + if( ( p_sys->i_code == 301 || p_sys->i_code == 302 || p_sys->i_code == 303 || p_sys->i_code == 307 ) && p_sys->psz_location && *p_sys->psz_location )

[Jean-Baptiste Kempf]

Patches should be sent to vlc-devel

[mysoogal]

Wouldn't it be a security risk?

why would it be ? could you explain why this might be a security

[VLC_help]

http://www.itbusinessedge.com/cm/blogs/ ... /?cs=47183

[chconnor]

Resurrecting to +1... Yes, please! The patch submitted would be totally adequate for me.

Not a security risk at all, any more than a web browser remembering a password in RAM. That link relates to passwords stored on-disk, which is not being discussed here. If we want to split hairs, I'd say that entering the password over and over for each track in a playlist is more of a security risk than keeping it in RAM for the duration of the vlc executable.

-c

[Mettbrot]

I would very much like to see this! Maybe someone can rebase that patch from above to get it into current development tree...

edit: Could you take a look at this? https://github.com/Mettbrot/vlc/commit/ ... 832a319c0d
There are no active pull requests on the vlc repo so I wonder if this is appreciated?

[Jean-Baptiste Kempf]

Send it to vlc-devel@videolan.org

[Mettbrot]

done.

[guybrush2k4]

hello guys,
sorry for bringing back to live this thread,
unfortunately It hasn't been implemented on the latest version. (Or I didn't manage to find the option)
is any development ongoing for this? or at least some place to place a petition.

But this would really be a cool feature
I love VLC and I would hate having to find another option for listen to my streamin music at work
Regarding the security I think is what most browsers does. 1 keep for the active session, 2 save in some encrypted way if the users acknoledge does.

Anyway I have found a workarround.
My servers sends me a *.m3u file with the streaming url.
so my workarround is to edit the m3u file to include user and password. (hopefully they are not being send clear text over the network)
example:
#EXTM3U
#EXTINF:191,El Canto del Loco - Volver a disfrutar
https://myserver.com:443/ampache/play/i ... frutar.mp3
you can chage the line for:
https://user:password@myserver.com:443/ ... frutar.mp3

and it won't ask for the password any more. it's just a search and replace after downloading the playlist.

hope that helps.
Guybrush.

[Jean-Baptiste Kempf]

VLC 3.0.0 remembers credentials.

[Andre0815]

I have the current 3.0.11 and my vlc does not remember credentials using the Chrome "Open in VLC" plugin and http mp4 links., Must that be activated anywhere ?

[Andre0815]

even on Open Networkstream , with a different Mp4 on the same server , on the same vlc instance an account hint is prompted. It seams to me that the http account is stored by fileURL key and not by serverName. (Only on the same fileName no Account hint is showen)

And next the chrome "Open in VLC" plugin opens everytime a new instance of VLC and therefore a usage of the InRAM instance stored HTTP account is not reachable for the new VLC instance , so the account hint wil be showen on every "Chrome, Open in VLC.." action..
It would be greate if the multiple VLC instances can hold only one static HTTP-Accound cache that survives VLC shutdowns. Another sollution can be that the Open in VLC Plugin passes http basic-auth infos to the VLC so that browser entered account will be used.

Currently I do not see a sollution for preventing account hints everytime on chrome Open in VLC actions..

[Rémi Denis-Courmont]

HTTP credentials should be per authority (server name and port) and realm. Not sure if VLC incorrectly varies them by the hier-part (path) as well.