It is possible to pass user name and password data via the URL of your site, but that doesn't mean it is a good idea.
Credentials sent in the URL?
A URL can be formed to log in to a site, something like:
http://username
[email protected]
This is not generally a problem for sites which are encrypted (https in the beginning instead of http), but does expose the credentials in plain text in the browser bar, meaning if another person were to lean over the screen of the web browser, they would see the credentials. It is also possible that the credentials will be stored automatically in the browsers history or cache, meaning other people who use the computer would be able to gain username and password.
Why Shouldn't I Send Data this way?
Fundamental site security is not greatly threatened by this, however it increases the likelihood of a user having their username and password stolen. If the site in question has sensitive data such as credit card information or personal information, this could pose a risk for the user.
Additionally, it is possible that a plain text (human readable) username and password are stored in multiple places - on the site server logs, the browser history, cache, and potentially third party applications which have access to the browser data, including plugins.
Solutions - How to Properly Send Credentials
Sending passwords via a GET request or directly in the URL using other methods is considered poor security practice. The best solution is to modify the username and password credential setting to POST parameters on a web form and using Session cookies to track when a user is logged in, ignoring all other attempts to log in.
For example, instead of the following HTML login form declaration,
Use
And handle the input using POST parameters instead of GET. After this, credentials can be set using a session cookie. Each language has a different way of setting up sessions, but an example for PHP is given below:
Credentials sent in the URL?
A URL can be formed to log in to a site, something like:
http://username
[email protected]This is not generally a problem for sites which are encrypted (https in the beginning instead of http), but does expose the credentials in plain text in the browser bar, meaning if another person were to lean over the screen of the web browser, they would see the credentials. It is also possible that the credentials will be stored automatically in the browsers history or cache, meaning other people who use the computer would be able to gain username and password.
Why Shouldn't I Send Data this way?
Fundamental site security is not greatly threatened by this, however it increases the likelihood of a user having their username and password stolen. If the site in question has sensitive data such as credit card information or personal information, this could pose a risk for the user.
Additionally, it is possible that a plain text (human readable) username and password are stored in multiple places - on the site server logs, the browser history, cache, and potentially third party applications which have access to the browser data, including plugins.
Solutions - How to Properly Send Credentials
Sending passwords via a GET request or directly in the URL using other methods is considered poor security practice. The best solution is to modify the username and password credential setting to POST parameters on a web form and using Session cookies to track when a user is logged in, ignoring all other attempts to log in.
For example, instead of the following HTML login form declaration,
Kod:
<form method="GET">
Kod:
<form method="POST">
Kod:
<?php session_start(); $_SESSION['loggedIn']=true; //store the user as logged in echo "Is the user logged in? ".$_SESSION['loggedIn']; //retrieve session data ?>
