How to hide password in a url

Question

There is a JSP script for login to a Server. Currently user credentials are being accepted through HTTP Header and the login.jsp file is so designed that once the user provides credentials the user is redirected to a redirectURL which is a fully qualified URL containing Username and Password in query string and hence the user is able to access the page he wants but problem is the password is being visible in the browser address bar.

So, what are the ways by which I can hide the user password in the url.

Answer 1

You can use http POST parameters instead of GET parameters in the request. They won't be visible anymore in the URL address bar.

Answer 2

I don't know about JSP but you should propably use POST request

Answer 3

In addition to the above suggestions regarding using POST parameters, if i were you, i would probably reconsider how your password management is being done as you should not be needing to pass passwords in plain text from one page to the other in your application at all.

Even if you need to pass the passwords from one page to another, you should consider hashing the password and then passing the hash and then let the page's validate if the hash is a valid one - because hopefully your database will have the hashed values in them

NOTE : If you are storing the passwords in plain text in your database, thats something thats a definite no-no as well

Answer 4

Others suggested using POST, which is the correct method for this. But it is not enough to guarantee that a man-in-the-middle can't see the password. In order to prevent that you should enable TLS (SSL) on your server and serve the page over https