HTTP Basic Authentication credentials passed in URL and encryption

Question

I have a question about HTTPS and HTTP Authentication credentials   Suppose I secure a URL with HTTP Authentication    lt Directory  var www webcallback gt  AuthType Basic AuthName  Restricted Area  AuthUserFile  var www passwd passwords Require user gooduser  lt  Directory gt    I then access that URL from a remote system via HTTPS  passing the credentials in the URL   https   gooduser secretpassword www example com webcallback foo bar   Will the username and password be automatically SSL encrypted  Is the same true for GETs and POSTs  I m having a hard time locating a credible source with this information

User · Accepted Answer

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs

Yes, yes yes.

The entire communication (save for the DNS lookup if the IP for the hostname isn't already cached) is encrypted when SSL is in use.

User · Answer

Yes  it will be encrypted    You ll understand it if you simply check what happens behind the scenes    The browser or application will first break down the URL and try to get the IP of the host using a DNS Query  ie  A DNS request will be made to find the IP address of the domain  www example com   Please note that no other information will be sent via this request  The browser  or application will initiate a SSL connection with the IP address received from the DNS request  Certificates will be exchanged and this happens at the transport level  No application level information will be transferred at this point  Remember that the Basic authentication is part of HTTP and HTTP is an application level protocol  Not a transport layer task  After establishing the SSL connection  now the necessary data will be passed to the server  ie  The path or the URL  the parameters and basic authentication username and password

User · Answer

Not necessarily true  It will be encrypted on the wire however it still lands in the logs plain text

[https] HTTP Basic Authentication credentials passed in URL and encryption

Examples related to https

Examples related to basic-authentication