Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

userid:password in URL security and problem

Status
Not open for further replies.
awingnut

awingnut

Programmer
Feb 24, 2003
759
US
I'm not sure which is the right forum for this question so my apologies if this is not the right one and my thanks if you can redirect me.

Even though I am using SSL, is the userid:password parameters being passed in the clear? That is:


or are only the parameters passed as arguments are secure. That is:


In any case, if the first is actually secure then is there a way to hide the userid:password so it is not displayed on the browser address line? TIA
 
Sort by date Sort by votes
Try passing the info via cookies or sessions or possibly even forms instead of through the URL.

Hope This Helps!

Ecobb
- I hate computers!
 
Upvote 0 Downvote
First my orignal post was messed up. I forgot to wrap it.

Anyway, I don't know how cookies help. Does not authentication require the userid and password in the URL, if it is going to be used?

For the sake of clarity I'll repost my sample URLs:
Code: 
[URL unfurl="true"]https://userid:password@www.mywebsite.com[/URL]
and
Code: 
[URL unfurl="true"]https://www.mywebsite.com/?userid=userid&password=password[/URL]
The second method may not be possible due to the nature of the special HTTP server we are trying to use.
 
Upvote 0 Downvote
The web site will require whatever authentication you design it to use. If you program it to use the url, it will look in the url. If you program it to use cookies, it will look for cookies.

Hope This Helps!

Ecobb
- I hate computers!
 
Upvote 0 Downvote
It's not that simple. The server is a pseudo HTTP server. It is actually a database server that provides some built-in web capability. This problem exists because of reasons too complicated to explain but basically it only uses the standard userid/password prompt where it puts up an authentication window on the client side. I believe that means we can only bypass that window by supplying the userid/password, using the "userid:password@ format, in the URL. I am not aware of any setup parameters on the database for type of authentication unless there is some standard HTTP way of specifying it as part of the URL.
 
Upvote 0 Downvote
I was a little side tracked with the last reply and forgot one of my main questions. To repeat:

With 'https' is passing the userid:password in the URL, as part of the host string, secure?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cae154
  • Locked
  • Question
Body of email not appearing in correct font on iPhone and iPad
Replies
1
Views
800
spamjim
spamjim
lmcate
  • Locked
  • Question
From HTML Page open an MDB files on the server and work
Replies
0
Views
209
lmcate
lmcate
soni21
  • Locked
  • Question
JavaScript String to Number Conversion in HTML: Seeking Clarification
Replies
4
Views
1K
Chris Miller
Chris Miller
PeDa
  • Locked
  • Question
Horizontal rule and CSS problem 2
Replies
2
Views
664
PeDa
PeDa
Mike Lewis
  • Locked
  • Question
How to refresh a Javascript file in the browser's cache?
Replies
4
Views
1K
Mike Lewis
Mike Lewis

Part and Inventory Search

Sponsor

Back
Top