Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Usernames and Passwords in URLs - Very Bad?

L

Lead Belly

macrumors newbie
Original poster
Jun 17, 2002
20
0
First, let me say I'm not a programmer at all. I'm a designer and content manager, among other things. Small scale HTML, CSS and basic javascript is about as far as I go. I'd appreciate any insight the much more experienced programmers/developers out there can provide regarding passing login info in the URL string.

Background: We're creating a site with a third-party developer. They're saying some tool being used for building the site puts the login in the URL, but they'll encrypt the info, so no problem. Why does it feel like a problem?

I've always been told this is a bad method, but I don't really know why it's bad. I don't see this being used on any of the sites I use regularly. I've searched every way I know how and I can't find much information - possibly due to this being something so obviously bad that all programmers know not to even discuss it. I've read some stuff about it being prone to sniffers and session hijacking, but I may be misunderstanding terms.

It seems sloppy and outdated, but if the username and password are encrypted, is this technique actually bad? dangerous? easily hacked? I can think of a half dozen issues where the url could potentially drop the login information and annoy the heck out of users. Is that the worst of it?

Any insights or experience to share? Thanks in advance.
 
I'm no security expert, but keeping the login info in the URL (encrypted or not) seems odd to say the least. I thought it was much better/safer/easier to store the login information withn sessions/cookies...
It also seems like bad practice to keep propagating the login information from page to page: once you're logged in, what's the point of keeping your username and password in the url other than multiplying the opportunities hackers will have to get access to them?

And concerning encrypted username and passwords, unless you're using SSL, they get sent in clear over the net (even if they're not displayed in the url).

Again, I'm no security expert, but it sounds a bit iffy to me. What language is the site being written in? PHP?
 
Without going into a lot of detail (partly because I don't KNOW a lot of detail) you want to look into the difference between POST and GET requests when submitting a form.

You should not have to keep everything in the URL all the time; I think that's not only potentially unsafe but also very bad form (in my eyes). I *loathe* those sites that keep on adding and adding session information until my URL is five lines long. It's just annoying.
 
Tell Party #3 they need to investigate actual sessions like PHP, Coldfusion, ASP, JSP, etc have.
 
I concur: Not Good. It's a security risk.

There's no reason this kind of info needs to be transferred via the URL. Aside from being vulnerable to hijacking, it'll also show up in server logs and other places.

If the username and password are used to gain access to personal or financial information, then you definitely shouldn't be passing that info in the URL.
 
notjustjay said:
Without going into a lot of detail (partly because I don't KNOW a lot of detail) you want to look into the difference between POST and GET requests when submitting a form.

You should not have to keep everything in the URL all the time; I think that's not only potentially unsafe but also very bad form (in my eyes). I *loathe* those sites that keep on adding and adding session information until my URL is five lines long. It's just annoying.
Click to expand...

Thank you. I'll read up on POST vs GET.

I agree about adding information in the URL. I know a lot of people like putting variable information in the URL because it's easy, but it gets ugly very quickly. I like to use the URL field for...urls. It should be pretty easy to look at a url and see the path taken to get there.

Thanks again.
 
Thanks everyone who replied. I honestly don't know what the site is being written in. I know it's not ASP, JSP, or CFM. I don't think it's PHP either. I don't actually know what else there is. :confused:

Other sites I've worked on were in ASP and Cold Fusion and session and login stuff were handled very nicely (in my unknowledgeable opinion).

It does seem scary, even if the information is encrypted. I would think this is a function of bad programming and that any programming language could carry sensitive information in the URL string, but much better ways have been developed in the last 5 or so years.
 
Lead Belly said:
Thanks everyone who replied. I honestly don't know what the site is being written in. I know it's not ASP, JSP, or CFM. I don't think it's PHP either. I don't actually know what else there is. :confused:
Click to expand...

There's perl.
 
The only reason you should need to pass info via the URL is if there's a possiblity that the user has cookies turned off. But then you should only be passing information in the URL that is not sensitive, like column sort settings or search criteria. Stuff that doesn't matter.

If you need to pass sensitive information, then you just have to require that users have cookies turned on, or pass it via POST instead of GET, as mentioned above. It's easy to test for cookies on a user's browser. If they have them turned off, you simply display a page telling them how to turn cookies on in their browser.

Good luck!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back