Username and password in https url

Consider the URL: https://foo:password@example.com

Does the username/password portion in the above example qualify as a "URL parameter", as defined in this question?


When you put the username and password in front of the host, this data is not sent that way to the server. It is instead transformed to a request header depending on the authentication schema used. Most of the time this is going to be Basic Auth which I describe below. A similar (but significantly less often used) authentication scheme is Digest Auth which nowadays provides comparable security features.

With Basic Auth, the HTTP request from the question will look something like this:

GET / HTTP/1.1
Host: example.com
Authorization: Basic Zm9vOnBhc3N3b3Jk

The hash like string you see there is created by the browser like this: base64_encode(username + ":" + password) .

To outsiders of the HTTPS transfer, this information is hidden (as everything else on the HTTP level). You should take care of logging on the client and all intermediate servers though. The username will normally be shown in server logs, but the password won't. This is not guaranteed though. When you call that URL on the client with eg curl , the username and password will be clearly visible on the process list and might turn up in the bash history file.

When you use the approach by ayush, the username and password will always turn up in server logs of your webserver, application server, caches, ... unless you specifically configure your servers to not log it. This only applies to servers being able to read the unencrypted http data, like your application server though.

Basic auth is standardized and implemented by browsers by showing this little username/password popup. When you put the username/passwort into an HTML form sent via GET or POST, you have to implement all the login/logout logic yourself (which might be an advantage). But you should never transfer usernames and passwords by GET parameters. If you have to, use POST instead. The prevents the logging of this data by default.

When implementing an authentication mechanism with a user/password entry form and a subsequent cookie-based session as it is commonly used today, you have to make sure that the password is either transported with POST requests or one of the standardized authentication schemes above only.

Concluding I could say, that transfering data that way over HTTPS is safe, as long as you take care that the password does not turn up in unexpected places. But that advice applies to every transfer of any password in any way.

链接地址: http://www.djcxy.com/p/27064.html

上一篇: 每次我推送Git都要求输入用户名

下一篇: https网址中的用户名和密码