tags:

views:

85

answers:

4
+2  Q: 

Is it secure to pass login credentials as plain text in an HTTPS URL?

Is it secure to pass login credentials as plain text in an HTTPS URL?

https://domain.com/[email protected]&Passwd=123password

Update: So let's say this is not being entered in the browser, but being generated programmatically and being requested with a POST request (not a GET request). Is it secure?

Solution:

It is not secure to use this type of URL in a GET request (i.e. typing the URL into the browser) as the requested URL will be saved in browser history and server logs.

However, it is secure to submit as a POST request to https://domain.com/ClientLogin (i.e. submitting a form) while passing the credentials as part of the POST body, since the POST body is encrypted and sent after making a connection to the requested URL. So, the form action would be https://domain.com/ClientLogin and the form field values will be passed in the POST body.

Here are some links that helped me understand this better:

Answer to StackOverflow Question: Are https URLs encrypted?

Straightforward Explanation of SSL and HTTPS

Google Answers: HTTPS - is URL string itself secure?

HTTP Made Really Easy

+4  A: 

No. They won't be seen in transit, but they will remain in:

  • browser history
  • server logs

If it's at all possible, use POST over HTTPS on authentication, and then set a "authenticated" cookie, or use HTTP Digest Authorization over HTTPS, or even HTTP Basic auth over HTTPS - but whatever you do, don't put secret/sensitive data in the URL.

Edit: when I wrote "use POST", I meant "send sensitive data over HTTPS in POST fields". Sending a POST http://example.com/ClientLogin?password=hunter2 is every bit as wrong as sending it with GET.

TL;DR: Don't put passwords in the URL. Ever.

Piskvor  2010-06-30 15:24:04
So it is considered safe when passing the credentials as parameters in a POST request?
Andrew  2010-06-30 16:44:04
@Andrew: If they're POST parameters (and therefore not in the URL), then yes. Edited to reflect this.
Piskvor  2010-06-30 21:39:05
That's what I was trying to figure out. Thanks!
Andrew  2010-07-01 14:21:05
A: 

Yes, but I wouldn't do that.

http://www.ourshop.com/resources/ssl_step1.html

David Radcliffe  2010-06-30 15:25:22
A: 

I wouldn't do that. Just the fact that you have "login credentials", "plain text", and "secure" all in the same sentence throws up red flags.

Unless your sentence says "It is not secure to pass login credentials in plain text".

Jim B  2010-06-30 15:37:09
A: 

Passing login info in url parameters is not secure, even with SSL

Passing login info in POST body with SSL is considered secure.

If you're using SSL, consider HTTP Basic authentication. While this is horribly problematic without SSL, it is no worse than POST with credentials, it achieves what you want, but does so according to an established standard, rather than custom field names.

Taylor  2010-06-30 15:39:04

related questions

How would you implement a secure static login credentials system in Java?
Blocking https url's in a embedded gecko browser
Restrict Apache to only allow access using SSL for some directories
How to put up an off-the-shelf https to http gateway?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
What's the best way to learn server RESTful code?
Force HTTPS. How is it possible?
How can I get LWP to validate SSL server certificates?
What must I do to make content such as images served over HTTPS be cached client-side?
What does a PHP developer need to know about https / secure socket layer connections?
What's a clean/simple way to ensure the security of a page?
Making sure a web page is not cached, across all browsers.
Best way in asp.net to force https for an entire site?
Any way to handle Put and Delete verbs in ASP.Net MVC?
Response.Redirect with POST instead of Get?
How to get the correct Content-Length for a POST request.
IIS7: HTTP->HTTPS Cleanly
[ASP.NET ERROR] The request was aborted: Could not create SSL/TLS secure channel.
Testing HTTPS files with MAMP
How do banks remember "your computer"?
Avoid traffic shaping by using ssh on port 443
Convince Firefox to send an If-Modified-Since header over HTTPS
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
Options for Google Maps over SSL