https://stackoverflow.com/questions/19794590
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAside what others have already written there is an additional point, that in webservers logsfiles most often the entire url is being logged, so anyone with access to the logfiles can read the login credentials. Furthermore, if there is some traffic analysis tool on the page (say i.e. google analytics or whatever) then the calling url is being reported there as well -> also those people can read the login credentials (and they may even apears in the traffic analysis).
HTTP: Why is it wrong to send a username and password in a get request?
-
04-07-2022 - |
Question
Genaral practice is when you login, or do something else that requires your username and password, you send it in the body of post request. Also for added security https should be used.
In get request these parameters are sent as a part of URL. But in https both body and headers are encrypted, as i understand.
So in theory, whether you use https post or get for sending, your data are safe..., in one case attacker will have to decript your header and in other your body.
So my question is, if this is all true, how is post more secure?
Solution
OTHER TIPS
GET is recorded at browser's history. Someone might look in your surf history and see your password.
Same reason you display **** in a password entry field...
If you send the credentials via GET, anyone looking over the shoulder of the user could see the password (or perhaps a hash of the password, depending on exactly how you perform your logon) in the URL bar.
The main point of putting something in a GET request is the ability to bookmark the result. This is great for search results, not so much for a login request. Sharing that URL would then theoretically allow anyone to login using your username and password.
It's for privacy concerns.
As others have mentioned, GET request can easily be tracked such that the URL string can be read by potentially malicious parties.
A URL such as:
www.facebook.com/login?username=ironman231&password=veryStrongPassword
provides a good example; the username and password is directly visible within the URL.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
