Geek Answers Handbook

Is it safe to pass login credentials as plain text in an HTTPS URL?

Is it safe to pass login credentials as plain text in an HTTPS URL?

https://domain.com/ClientLogin?Email=jondoe@gmail.com&Passwd=123password

Update:. So let's say that this is not entered in the browser, but is created programmatically and requested with a POST request (and not with a GET request). It's safe?

Decision:

You cannot use this type of URL in a GET request (i.e., type the URL in a browser), because the requested URL will be stored in the browser history and server logs.

However, it is safe to send https://domain.com/ClientLogin (that is, submit the form) as a POST body when transferring credentials as part of the POST body , since the POST body encrypted and sent after the connection is created with the requested URL. Thus, the form action will be https://domain.com/ClientLogin , and the form field values ​​will be passed to the POST body .

Here are a few links that helped me understand this better:

stack overflow

Simple explanation of SSL and HTTPS

Google Answers: HTTPS - Is URL Bar Safe?

HTTP Made Really Easy

+7
source share
4 answers

Not. They will not be visible along the way, but they will remain in:

  • browser history
  • server logs

If at all possible, use POST via HTTPS for authentication, and then set an “authenticated” cookie or use HTTP digest authentication via HTTPS or even HTTP Basic auth over HTTPS - but whatever you do, do not put sensitive / confidential data in the url.

Edit: when I wrote “use POST”, I meant “send sensitive data via HTTPS to POST fields”. POST http://example.com/ClientLogin?password=hunter2 sending POST http://example.com/ClientLogin?password=hunter2 is as fuzzy as sending with GET.

TL; DR: Do not put passwords in the URL. Ever.

+13
source

Passing information to enter URL parameters is not secure even when using SSL

The transfer of information to enter the POST body with SSL is considered safe.

If you use SSL, consider standard HTTP authentication. Although this is terribly problematic without SSL, it is no worse than a POST with credentials, it does what you want, but it does so in accordance with the established standard, and not with custom field names.

+1
source

Yes, but I wouldn’t.

http://www.ourshop.com/resources/ssl_step1.html

-one
source

I would not do that. Just the fact that you have "login credentials", "plain text" and "safe" all in one sentence gives red flags.

If your offer doesn’t say “It’s not safe to pass credentials to enter plain text.”

-2
source

More articles:


All Articles