Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Passing username and password in HTTP GET query parameters

I'm building a RESTful API for my application and I would like to make it as clean and transparent as possible.

I need to create an authentication endpoint and it makes most sense to me to build it so that users can authenticate in a following way:

GET https://example.com/
    auth?identity=<username_or_email>&password=<password>

As I said, passing the user auth data using HTTP GET method in query parameters just seems very clean to me.

But I would like you to ask about how secure it actually is. Considering it will be encrypted through SSL/TLS, do you think it's a good idea to transfer user credentials like this?

like image 785
Hexdigit _ Avatar asked Apr 24 '16 06:04

Hexdigit _


People also ask

Can we pass query param GET request?

Regarding the way to pass parameters, it is a less obvious thing. Unless there's something sensitive in the request parameters, it is perfectly fine to send them as part of URL. Both options are feasible, and I'd say a choice depends heavily on the application domain model.

How do I pass username and password to a REST API?

The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.

How we can pass query parameter in URL?

Query parameters are a defined set of parameters attached to the end of a url. They are extensions of the URL that are used to help define specific content or actions based on the data being passed. To append query params to the end of a URL, a '? ' Is added followed immediately by a query parameter.

How do I get my username and password for curl?

For example, if a website has protected content curl allows you to pass authentication credentials. To do so use the following syntax: curl --user "USERNAME:PASSWORD" https://www.domain.com . “USERNAME” must be replaced with your actual username in quotes.


2 Answers

As Display Name said, both variants are basically plain text (even using base64 encoding). So you must use TLS or another protection like HMAC

But from other side, Query string is less secure in terms of how Server/Client works with URLs in general. You can read about this here or here. Briefly you should be worry about the following

  • URLs are stored in web server logs
  • URLs are stored in the browser history
  • URLs are passed in Referrer headers
like image 81
Set Avatar answered Oct 19 '22 23:10

Set


Well I basically pass base64 string to the server. My username and password are converted in base64 and then passed in Authorization Header

Authorization : "Basic --Value"

I find this the cleanest way of passing username and password to the server.

On the other end , server had a module called passport.Passport provides different type of Authorization and Authentication like Basic,bearer,token or even your own custom.

For the above purpose i use Basic Module.

like image 33
maddygoround Avatar answered Oct 19 '22 22:10

maddygoround