Is it secure to pass login credentials as plain text in an HTTPS URL

https

Is it secure to pass login credentials as plain text in an HTTPS URL?

https://domain.com/ClientLogin?Email=jondoe@gmail.com&Passwd=123password

Update: So let's say this is not being entered in the browser, but being generated programmatically and being requested with a POST request (not a GET request). Is it secure?

Solution:

It is not secure to use this type of URL in a GET request (i.e. typing the URL into the browser) as the requested URL will be saved in browser history and server logs.

However, it is secure to submit as a POST request to https://domain.com/ClientLogin (i.e. submitting a form) while passing the credentials as part of the POST body, since the POST body is encrypted and sent after making a connection to the requested URL. So, the form action would be https://domain.com/ClientLogin and the form field values will be passed in the POST body.

Here are some links that helped me understand this better:

Answer to StackOverflow Question: Are https URLs encrypted?

Straightforward Explanation of SSL and HTTPS

Google Answers: HTTPS – is URL string itself secure?

HTTP Made Really Easy

Best Answer

No. They won't be seen in transit, but they will remain in:

  • browser history
  • server logs

If it's at all possible, use POST over HTTPS on authentication, and then set a "authenticated" cookie, or use HTTP Digest Authorization over HTTPS, or even HTTP Basic auth over HTTPS - but whatever you do, don't put secret/sensitive data in the URL.

Edit: when I wrote "use POST", I meant "send sensitive data over HTTPS in POST fields". Sending a POST http://example.com/ClientLogin?password=hunter2 is every bit as wrong as sending it with GET.

TL;DR: Don't put passwords in the URL. Ever.

Related Topic