SyntaxFix

[security] Username and password in https url

Consider the URL: https://foo:[email protected]

Does the username/password portion in the above example qualify as a "URL parameter", as defined in this question?

This question is related to security https url-parameters

The answer is

When you put the username and password in front of the host, this data is not sent that way to the server. It is instead transformed to a request header depending on the authentication schema used. Most of the time this is going to be Basic Auth which I describe below. A similar (but significantly less often used) authentication scheme is Digest Auth which nowadays provides comparable security features.

With Basic Auth, the HTTP request from the question will look something like this:

GET / HTTP/1.1
Host: example.com
Authorization: Basic Zm9vOnBhc3N3b3Jk

The hash like string you see there is created by the browser like this: base64_encode(username + ":" + password).

To outsiders of the HTTPS transfer, this information is hidden (as everything else on the HTTP level). You should take care of logging on the client and all intermediate servers though. The username will normally be shown in server logs, but the password won't. This is not guaranteed though. When you call that URL on the client with e.g. curl, the username and password will be clearly visible on the process list and might turn up in the bash history file.

When you send passwords in a GET request as e.g. http://example.com/login.php?username=me&password=secure the username and password will always turn up in server logs of your webserver, application server, caches, ... unless you specifically configure your servers to not log it. This only applies to servers being able to read the unencrypted http data, like your application server or any middleboxes such as loadbalancers, CDNs, proxies, etc. though.

Basic auth is standardized and implemented by browsers by showing this little username/password popup you might have seen already. When you put the username/password into an HTML form sent via GET or POST, you have to implement all the login/logout logic yourself (which might be an advantage and allows you to more control over the login/logout flow for the added "cost" of having to implement this securely again). But you should never transfer usernames and passwords by GET parameters. If you have to, use POST instead. The prevents the logging of this data by default.

When implementing an authentication mechanism with a user/password entry form and a subsequent cookie-based session as it is commonly used today, you have to make sure that the password is either transported with POST requests or one of the standardized authentication schemes above only.

Concluding I could say, that transfering data that way over HTTPS is likely safe, as long as you take care that the password does not turn up in unexpected places. But that advice applies to every transfer of any password in any way.

Source: Stackoverflow.com

Examples related to security

Monitoring the Full Disclosure mailinglist Two Page Login with Spring Security 3.2.x How to prevent a browser from storing passwords JWT authentication for ASP.NET Web API How to use a client certificate to authenticate and authorize in a Web API Disable-web-security in Chrome 48+ When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? How does Content Security Policy (CSP) work? How to prevent Screen Capture in Android Default SecurityProtocol in .NET 4.5

Examples related to https

What's the net::ERR_HTTP2_PROTOCOL_ERROR about? Requests (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.") Error in PyCharm requesting website Android 8: Cleartext HTTP traffic not permitted ssl.SSLError: tlsv1 alert protocol version Invalid self signed SSL cert - "Subject Alternative Name Missing" How do I make a https post in Node Js without any third party module? Page loaded over HTTPS but requested an insecure XMLHttpRequest endpoint How to force Laravel Project to use HTTPS for all routes? Could not create SSL/TLS secure channel, despite setting ServerCertificateValidationCallback Use .htaccess to redirect HTTP to HTTPs

Examples related to url-parameters

What is the difference between URL parameters and query strings? RestTemplate: How to send URL and query parameters together How can I get query parameters from a URL in Vue.js? How can I get the named parameters from a URL using Flask? How to get a URL parameter in Express? PHP check if url parameter exists Pass Hidden parameters using response.sendRedirect() How to convert URL parameters to a JavaScript object? How to replace url parameter with javascript/jquery? Username and password in https url

Tags

Launching Django-pagination Dollar-sign Capicom Eregi Corruption Qa Rvm Html-input Resource-leak Assembly-attributes Url.action Page-refresh Imageflow Pyrocms Wcf-instancing Picolisp Gpolygon Pseudo-class Ctp4 Django-project-architect Isoneway Page-setup Parseint Getclientrect Lines Web-reference Maven-jar-plugin Voip Computation-theory Location System.addin Schema-migration Console.out.writeline Hierarchical-trees Botnet Qwebkit Kit3d Transformtovisual Runge-kutta Heap-corruption Job-control Gwt2 Duplication Boxsizer User-agent Video-editing Princexml Lalr Expectations To-char Adorner Lighting Xmlreader Amr Virtualenv Indexing Ad-management Object-layout Wpl Indefinite Strchr Realm Tie Baseline Clip Parse-url Asp.net-mvc-file-upload Glfw Contactscontract Acceptverbs Led Kanban Quoting Nantcontrib Msxsl Devexpress Voiceover Currentculture Domain-data-modelling Executemany Vmware-tools Mashup Nstoolbar Fedora Back-button Mocha.js Yuv Uiq3 Nested-datalist Flash-video Maven-site-plugin Prettify Nodes Platform-specific Census Debug-information Dbcommand Semweb Street-address