15

Is it secure to pass login credentials as plain text in an HTTPS URL?

https://domain.com/ClientLogin?Email=jondoe@gmail.com&Passwd=123password

Update: So let's say this is not being entered in the browser, but being generated programmatically and being requested with a POST request (not a GET request). Is it secure?

Solution:

It is not secure to use this type of URL in a GET request (i.e. typing the URL into the browser) as the requested URL will be saved in browser history and server logs.

However, it is secure to submit as a POST request to https://domain.com/ClientLogin (i.e. submitting a form) while passing the credentials as part of the POST body, since the POST body is encrypted and sent after making a connection to the requested URL. So, the form action would be https://domain.com/ClientLogin and the form field values will be passed in the POST body.

Here are some links that helped me understand this better:

Answer to StackOverflow Question: Are https URLs encrypted?

Straightforward Explanation of SSL and HTTPS

Google Answers: HTTPS - is URL string itself secure?

HTTP Made Really Easy

Community
  • 1
  • 1
Andrew
  • 227,796
  • 193
  • 515
  • 708

2 Answers2

19

No. They won't be seen in transit, but they will remain in:

  • browser history
  • server logs

If it's at all possible, use POST over HTTPS on authentication, and then set a "authenticated" cookie, or use HTTP Digest Authorization over HTTPS, or even HTTP Basic auth over HTTPS - but whatever you do, don't put secret/sensitive data in the URL.

Edit: when I wrote "use POST", I meant "send sensitive data over HTTPS in POST fields". Sending a POST http://example.com/ClientLogin?password=hunter2 is every bit as wrong as sending it with GET.

TL;DR: Don't put passwords in the URL. Ever.

Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
  • So it is considered safe when passing the credentials as parameters in a POST request? – Andrew Jun 30 '10 at 16:44
  • @Andrew: If they're POST parameters (and therefore not in the URL), then yes. Edited to reflect this. – Piskvor left the building Jun 30 '10 at 21:39
  • That's what I was trying to figure out. Thanks! – Andrew Jul 01 '10 at 14:21
  • Hi @Piskvorleftthebuilding I know it's an old post but I have been wondering if things have changed? In addition, what is the effect of using HTTPS with passing URL parameters? Is it still considered insecure? – AGoranov Jan 15 '20 at 09:05
  • The point still stands. URLs are considered non-sensitive data and routinely logged, as opposed to request bodies. If anything, putting personal/sensitive data into URLs is *more* problematic now, because of GDPR and whatnot. Snooping in transit is only a minor concern. – Piskvor left the building Jan 15 '20 at 09:17
2

Passing login info in url parameters is not secure, even with SSL

Passing login info in POST body with SSL is considered secure.

If you're using SSL, consider HTTP Basic authentication. While this is horribly problematic without SSL, it is no worse than POST with credentials, it achieves what you want, but does so according to an established standard, rather than custom field names.

Taylor
  • 3,942
  • 2
  • 20
  • 33