Yes, we're now running our Black Friday Sale. All Access and Pro are 33% off until 2nd December, 2025:
Learn through the super-clean Baeldung Pro experience:
>> Membership and Baeldung Pro.
No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
1. Introduction
The wget command is a command-line utility for downloading data, creating full-site mirrors, and automating web data retrieval through scripting. However, getting beyond protected content on a web page using wget is a pain. The majority of modern websites have authentication mechanisms for protected content, making automation using wget somewhat challenging.
When we have login forms, session authentication, or other complex authentication mechanisms, wget is required to have some sort of configurations and strategies in place in order to bypass these.
In this tutorial, we’ll explore how to get past login screens using wget. We’ll learn about managing HTTP authentication, form logins, and session cookies, along with some hands-on examples and tips on making our web scraping and automation process better.
2. Understanding HTTP Authentication
HTTP authentication is a simple, yet effective mechanism for keeping unauthorized users away from web resources. HTTP authentication in a website can ask users for credentials via a pop-up in a web browser. The major forms of HTTP authentication are basic authentication and digest authentication. Next, we’ll learn about each of these.
2.1. Basic Authentication
Basic authentication is a straightforward mechanism where a server prompts for a password and a username. These are then Base64 encoded and sent along with each request. We can achieve this type of authentication with wget using the –user and –password options:
$ wget --user=username --password=password https://example.com/protected-pageThe credentials are sent in Base64, which isn’t secure unless it’s being sent over HTTPS. Now, let’s take a look at the command’s output:
--2025-02-26 10:20:01-- https://example.com/protected-page
Connecting to example.com... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12345 (12K) [text/html]
Saving to: 'protected-page.html'
protected-page.html 100%[===================>] 12.05K --.-KB/s in 0.002s
2025-02-26 10:20:02 (5.00 MB/s) - 'protected-page.html' saved [12345/12345]The output indicates a successful login, and wget downloads the protected page. However, we must keep passwords away from command histories and scripts since this practice isn’t secure.
2.2. Digest Authentication
Digest authentication offers more security than basic authentication by using MD5 hashing for credentials. However, wget provides limited support for digest authentication, and it may fail when the server requires stronger hashing algorithms. Let’s use wget in conjunction with digest authentication:
$ wget --http-user=username --http-password=password --auth-no-challenge --auth-digest https://example.com/protected-pageIn this example, the –auth-digest flag tells wget to use digest authentication. In some cases, we need to use the –auth-no-challenge flag to avoid authentication failures. Now, let’s see the output:
Connecting to example.com. Connected.
HTTP request sent, awaiting a response. 200 OK.
Length: 54321 (53K) [text/html]
Saving on protected-page.html
protected-page.html 100%[===================>] 53.05K --.-KB/s in 0.004sThis output shows a successful login. If digest authentication fails, we can resort to other methods such as curl or a headless browser for complicated authentication scenarios.
3. Form-Based Authentication
Most websites use form-based authentication, where we provide credentials via an HTML form, and the server sets cookies in return. In this case, we must discover the form’s fields and action URL. Here’s a command for doing authentication using a form via wget:
$ wget --post-data="username=user&password=pass" --save-cookies cookies.txt --keep-session-cookies https://example.com/loginThe command posts login credentials to the server via the –post-data flag. The –save-cookies flag saves session cookies in a file for all subsequent requests. Now, let’s observe the output:
--2025-02-26 10:22:15-- https://example.com/login
Storing cookies in cookies.txt
HTTP request sent, awaiting response. 302 Found.
Location: example.com/dashboard [
--2025-02-26 10:22:16-- https://example.com/dashboard
HTTP request sent, awaiting response. 200 OK.
Saving to: 'dashboard.html'
The output indicates a successful login, as the server redirects wget to the dashboard page (response status code 302). We can reuse the session cookies in cookies.txt to retain the authenticated session.
4. Managing a Session Using Cookies
When session authentication is being used, we can export cookies via a browser and inject these into wget. This is especially handy when we have complex login sequences. Let’s take advantage of stored cookies using wget:
$ wget --load-cookies=cookies.txt https://example.com/protected-contentHere, we’ve used the –load-cookies flag, which makes use of cookies from a previous login for accessing protected content. In this case, we assume that we’ve already saved the cookie of a previous login in a file named cookies.txt.
5. Safe Storage of Credentials
Storing credentials in the command line can expose sensitive data via command-line history or process monitoring. We can, however, securely place credentials in the .wgetrc config file. This is not only a security-enhancing solution, it’s a convenient solution for avoiding repetition since authentication data is in a separate file:
$ echo -e "user=username\npassword=password" > ~/.wgetrc
$ chmod 600 ~/.wgetrc
Here, we edit the .wgetrc file in the user’s home directory. The echo command prints the username and password to be saved in the config file, and we assign secure permissions using chmod 600 so the file owner can read and modify it. This prevents unauthorized users from accessing vital data.
Now, we can take advantage of wget for accessing protected content without leaving credentials on the terminal:
$ wget https://example.com/protected-pageWe achieved this using the .wgetrc file while maintaining an uncluttered command session and preventing credential exposure.
6. Common Pitfalls and Troubleshooting
When we use wget to bypass login pages, we might encounter common issues such as failed redirects, incorrect headers, or authentication failures. The –debug option is a powerful tool that helps us diagnose these problems by providing detailed logs of the request and response processes.
To enable debugging, we can use the following command:
$ wget --debug --load-cookies=cookies.txt https://example.com/protected-contentThe –debug flag provides verbose output, showing each step wget takes while processing the request. Now let’s look at a sample debug output:
DEBUG output created by Wget 1.21.1 on linux-gnu.
--2025-02-26 12:45:01-- https://example.com/protected-content
Loaded cookies from cookies.txt
Resolving example.com... 93.184.216.34
Connecting to example.com|93.184.216.34|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 302 Found
Location: https://example.com/login
Location: https://example.com/login [following]
--2025-02-26 12:45:02-- https://example.com/login
Reusing existing connection to example.com:443.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Length: 5678 (5.5K) [text/html]
Saving to: 'login.html'
login.html 100%[===================>] 5.55K --.-KB/s in 0.002sThe output shows that instead of accessing the protected content, the server redirected wget to the login page. The 302 Found status code and the Location: https://example.com/login header indicates that authentication wasn’t successful. This issue might occur if cookies.txt contains expired or invalid session cookies.
To troubleshoot, we can first ensure that the cookies.txt file is up to date by logging in manually and exporting fresh cookies. If that’s the case, we can check whether wget is sending the correct headers, such as Referer and User-Agent using the –header option:
$ wget --debug --header="User-Agent: Mozilla/5.0" --load-cookies=cookies.txt https://example.com/protected-contentWith this approach, the debug output will help us verify if the server accepts the request or if further adjustments are needed. In short, the –debug option serves as an invaluable resource for diagnosing and resolving authentication and redirection issues when accessing protected content using wget.
7. Conclusion
In this article, we learned that accessing content on a login page via wget is possible using a variety of different methods, including basic authentication, submitting forms, and session handling using cookies. Each of these methods handles various authentication scenarios, ranging from straightforward HTTP authentication to more complicated forms-based authentication.
We’ve also learned how to use wget for securing credentials and troubleshooting errors. With these practices, we can automate web interactions, facilitate easier data retrieval, and adapt our strategy for dealing with different authentication mechanisms in a secure and effective way.