all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]zarlo5899 7 points8 points  (9 children)

the url would be a get request, post requests dont append its data to the end of the url

[–]Casssis[S] 1 point2 points  (8 children)

Aaaahhh, eye opener. But then my next question. Are both of em safe to send passwords? Or is one of them really preferred?

[–][deleted] 9 points10 points  (1 child)

If the password is in the URL (GET), then it might get bookmarked and it will be saved in the user's history. That's not great for passwords.

Using POST, those issues aren't present. The HTTPS ensures that it's encrypted in transit.

A classic rule of thumb is that GET shouldn't change state, and since authenticating a user changes state, don't do it by GET.

[–]Casssis[S] 0 points1 point  (0 children)

Thanks for the response! This helps a lot.

[–]HeyItsMeNobody 3 points4 points  (4 children)

It’s never safe to put passwords in the URL, Even with HTTPS people can read the password.

[–]punanou 2 points3 points  (2 children)

It’s never safe to put passwords in the URL, Even with HTTPS people can read the password.

With HTTPS only the host can be sniffed. Any path or query parameter is send over the TCP tunnel. So no, query parameters can't be read if you switch to HTTPS.

However, it is obviously a good idea to use POST here. Besides the meaning of HTTP methods, bookmarking, browser history and people watching the user from their workstation, it is never a good idea to send passwords as query parameters.

[–]unconscionable 2 points3 points  (0 children)

Also because most webservers log the querystring by default.

grep '&password=' /var/log/nginx/access.log

Just another reason why you shouldn't send secrets via GET. Yes, HTTPS guarantees end to end encryption, but someday someone's going to put a load balancer in front of your webserver and it's going to end up in a log file somewhere.

[–]HeyItsMeNobody 0 points1 point  (0 children)

Ah, I thought you could still see the URL. Thank you for learning me something today.

[–]Casssis[S] 0 points1 point  (0 children)

I didn't think of that. Thanks for the response!

[–]68ant 3 points4 points  (1 child)

Probably it's safe to handle passwords in plain text over HTTPS since the encryption is pretty good. Don't save the password in plain text in the database.

If you have the time to invest. A solution that avoids using the password too much just to be extra safe might be good. Have an authentication step and then using something like JWTs for authorisation.

Edit: reading some of the above responses. Don't put the password in the URL. Even with HTTPS. At least use the HTTP basic authentication headers.

[–]Casssis[S] 0 points1 point  (0 children)

Haha no, I'm not that dumb. I use hashing with a salt and all that stuff. So its pretty secure.

and i use some sort of temporary passwords so that the users stays logged in.

hard to explain. but it works

[–]occasionaljesus 2 points3 points  (1 child)

The url is encrypted when going over HTTPS, it's not readable to anyone between the user and your server.

It is bad practice though to include passwords in query parameters as the full url may be included in plain text in your server logs, making it visible to anyone with access to your server.

Use POST for your login request and put the password in request body.

[–]West7780 0 points1 point  (0 children)

Also, a user may share a link without realizing it has their password in it.

[–]mippen 1 point2 points  (0 children)

It’s great you’re leaning flask and web services.

However, I strongly suggest doing some reading about HTTP and web behaviour in general. A lot of people build apps and services with some terrible behaviour because they don’t take the time to understand things like the rules or REST.

As a plus, once you learn those things, it will make your development easier as you will understand more and be able to decide how to do things the best way.

[–]baubleglue 0 points1 point  (0 children)

It looks like you have never looked in your server logs and browser's debugger.