WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: unable to access web site embeds username & password

From: "Kevin R. Babcock" <kevinb () ugcs caltech edu>
Date: Tue, 22 Jun 2004 16:42:36 -0700 (PDT)
On Tue, 22 Jun 2004, Brown, James F. wrote:


Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.


In fact, Internet Explorer and other browsers take the username and
password out of the URL before making the request.  They are
instead placed in headers to do HTTP Basic Authentication when the request
is made, and so the username and password never go over the wire in a URL.

-Kevin
Previous By Date Next
Previous By Thread Next

Current thread: