This is a follow up post of my previous question about BASIC auth over HTTPS
Are the path to the resource and query string passed securely to the server if I use HTTPS?
i.e.
URI: http://server/path/to/a/resource?with=a&query=string
Server: server
path: /path/to/a/resource
query string: with=a&query=string
This is a really good explanation of this: http://answers.google.com/answers/threadview/id/758002.html#answer
Summary: only the host and port would be visible unencrypted.
In short, yes. But you shouldn't store sensitive data in URL's since it may be visible in the browsers history and server logfiles. And anyone who looks over your shoulder sees it too.
Yes it is - the entire session is secured and encryped so anything you send, including the query string is unreadable.
You can prove this to yourself, if you wish, by using something like Fiddler to view the http/https traffic you generate when you visit a secure url. Anything you send over HTTPS will not show the querystring, as shown here:
The actual URL I was visiting looked like this:
https://www.halifax-online.co.uk/_mem_bin/formslogin.asp?source=halifaxcouk&simigvis=
As per other answers, you shouldn't pass any sensitive information in the querystring as this may be stored in your webservers log files, so if you were passing a username/password combination anyone who could access your logs would be able to capture that information. This could allow someone to log into your site/application as if they were someone else even if you were making efforts such as storing passwords in your database as salted hashes, rather than plaintext.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With