Menu
A colleague and I had a heated debate yesterday whether it is safe to send login credentials via URL parameters as a means of authentication. He correctly pointed out that HTTPS encrypts all non-hostname/port characters in a URL before sending a request to the server side.
However, I still think there are edge cases here where it is possible to steal these credentials, and believe they should be sent via an HTTPS POST. Is this actually a safe means of sending login/token data?
715
An encrypted HTTPS request protects most things: This is the same for all HTTP methods (GET, POST, PUT, etc.). The URL path and query string parameters are encrypted, as are POST bodies.
1 Answer. It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:[email protected]/ -- this sends the credentials in the standard HTTP "Authorization" header.
To summarise my recommendations for securely including credentials in a URL: Always use a limited-scope token such as a capability token (key) or limited scope OAuth access token. Ideally the token should only provide access to the one resource named in the URL. Never ever ever put a username and password in a URL.
URLS and query parameters aren't secure. They should never contain sensitive or important information (passwords, static shared secrets, private information, etc).
The requested URL might show up in Web server logs and browser history/bookmarks which is not a good thing.
74
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
