WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: unable to access web site embeds username & password

From: Konstantin Ryabitsev <icon () phy duke edu>
Date: Thu, 24 Jun 2004 17:21:08 -0400
On Tue, 2004-06-22 at 16:36, Brown, James F. wrote:

Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.


I don't think that's correct. We're talking about this format:

http://username:password () web site tld/

To my knowledge this will instruct the server to pass the login
information as part of the HTTP header in response to a 40x, not as part
of the actual URL, so it will not be stored in access logs on the
end-site, or on the proxy server.

Now, if the URL was something like this:

http://web.site.tld/page.php?username=john&password=johndoe

Then you would have been correct.

Regards,
-- 
Konstantin Ryabitsev <icon () phy duke edu>
Duke University Physics

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: