Is it secure to pass login credentials as plain text in an HTTPS URL?
https://domain.com/[email protected]&Passwd=123password
Update: So let's say this is not being entered in the browser, but being generated programmatically and being requested with a POST request (not a GET request). Is it secure?
It is not secure to use this type of URL in a GET
request (i.e. typing the URL into the browser) as the requested URL will be saved in browser history and server logs.
However, it is secure to submit as a POST
request to https://domain.com/ClientLogin
(i.e. submitting a form) while passing the credentials as part of the POST body
, since the POST body
is encrypted and sent after making a connection to the requested URL. So, the form action would be https://domain.com/ClientLogin
and the form field values will be passed in the POST body
.
Here are some links that helped me understand this better:
Answer to StackOverflow Question: Are https URLs encrypted?
Straightforward Explanation of SSL and HTTPS
Google Answers: HTTPS - is URL string itself secure?
HTTP Made Really Easy
Quick Answer:It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password.
To summarise my recommendations for securely including credentials in a URL: Always use a limited-scope token such as a capability token (key) or limited scope OAuth access token. Ideally the token should only provide access to the one resource named in the URL. Never ever ever put a username and password in a URL.
We can do HTTP basic authentication URL with @ in password. We have to pass the credentials appended with the URL. The username and password must be added with the format − https://username:password@URL. Let us make an attempt to handle the below browser authentication.
Never Share Passwords Using These Methods Here are a few insecure ways of sharing passwords and why you should avoid them: Email or SMS texting: These communication methods have no security, so your message is readable to anyone who might intercept it.
No. They won't be seen in transit, but they will remain in:
If it's at all possible, use POST over HTTPS on authentication, and then set a "authenticated" cookie, or use HTTP Digest Authorization over HTTPS, or even HTTP Basic auth over HTTPS - but whatever you do, don't put secret/sensitive data in the URL.
Edit: when I wrote "use POST", I meant "send sensitive data over HTTPS in POST fields". Sending a POST http://example.com/ClientLogin?password=hunter2
is every bit as wrong as sending it with GET.
TL;DR: Don't put passwords in the URL. Ever.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With