Pass username and password in URL?

Chris Worner

Well-known member
Registered
Joined
Apr 15, 2016
Messages
612
Points
28
I believe this method is not possible because it is not secure and no one will put their username and password on the URL. I try to put parameters (username/password) on url with this way
Code:
example.com/index.php?username=username&password=mypassword
Is there a method to send username and password in a secure way with PHP? Can you confirm that it's not in fact possible to pass the user/pass via HTTP parameters (GET or POST) in PHP?
 

energizedit

Well-known member
Registered
Joined
Dec 13, 2016
Messages
259
Points
18
Sure this is possible, not a very secure way to do it though. But if you have a form with the password textbox set to type of password and set the form to post then you won't see the password, or any variables in the actual url.

You will still be able to get these variables on the processing php page though.

Code:
if( isset($_POST['submit']) )
{
    //be sure to validate and clean your variables
    $val1 = htmlentities($_POST['val1']);
    $val2 = htmlentities($_POST['val2']);

    //then you can use them in a PHP function. 
    $result = myFunction($val1, $val2);
}
 

Alexandar

New member
Registered
Joined
Jan 23, 2017
Messages
10
Points
0
Just to add to this - please, please, please make sure not to store your passwords in plain text format.
Another important thing if we're talking about custom made php apps/sites which don't rely on specific framworks - make sure that you're not subjective to sql injection attacks, prevention is a two liner that you would add to the code.
 

kevinhng86

Member
Registered
Joined
Jan 12, 2017
Messages
58
Points
0
There are secure way you can pass password through URL. First of all you can pass password in a URI or you can also pass it in JSON format with POST request. Though will always be in plain text. To secure them you can connect through an SSL connection or if you have server administration privilege you can have a dual stack setup. Where you receiving and sending server connect through a IpSec encode pipe and you still use SSL on top of that.

If you just want to verify the user data and don't need to store the password in the database, you can encrypt it in HMAC-SHA standard or equivalent. This string is then compare in your database. If you send get request and username store in the URI and password also encode in the string request you still have a security threat. If someone want to sniff out the password he doesn't need to decode the password he can just grab the entire URI string and replicate the field and your server will still authorise him. Remember that the URI string most likely be store in the browser history folder after it is execute. Also another copy of that would be store on your server log.

If you must send the username and password in a plain string URI string and you really need the data you can do it this way. Encrypt every param name in HMAC crypt or similar. Have two random param name that store junk data and constantly change. Encode everything else. Split the value of the param string into 3 piece and join them with defined data and then encode it into a Base64 string. For example I was to send this in a param string:

example.com?_username=kevinhng86&password=1345678

I would turn it into this:

example.com?_<crypt_value_of_username>=<base64_va lue_of_XXXg86XnhnXXivek&&<crypt_value_of_randomnam e>=<base64_value_of_randomdata>&<crypt_value_of_p a ssword>=<base64_value_of_XXXX78XX56XXXXX431>&<cryp t_value_of_randomname>=<base64_value_of_randomdata >

How do I decode this after, For crypt value I can't decrypt the value but I can store the pair of it in a data base. When I encrypt the word "username", I can store the word username and the HMAC value of it in a database to compare it later. For random data I can also do this, store the algorithm of how to remove them and put back the original text.

Other way to sending your data securely is through request header, through JSON post data. Remember though there is no undecryptable technique. If someone really try to get a data, It can take them year to try to decrypt any crypt string by bruteforce it. Most likely that will not happen to us because we don't store really valuable information. However it is a good practice to keep everything secure.

There is no difference between a custom make software and one that produce by a professional. Both can have bug, both can have security vulnerability. The only thing important is if you put due care and due thought into making your software secure. A custom make software that have no loop hole is 10x better than a professional software that carry a ton of bug and security vulnerability.
 

webdesign

Well-known member
Joined
Jul 5, 2012
Messages
120
Points
0
webdesign
Why don't you use md5 to encode them when displaying on browsers and saving to database.
It is also a good choice to make username and password secure while the user is sending their data.
 

kevinhng86

Member
Registered
Joined
Jan 12, 2017
Messages
58
Points
0
kevinhng86
You can use md5 for encoding but that is if you already have it value store in the database for something to compare to. It is not possible to decode md5 string unless you brute force it. There is however a way. That is you can encode the full URL in an organise and sorted structure. You can then brute force it using the combination of username and password that is store in your database.

However there is still a chance that a man in the middle attack can occur by someone who send the exact same encrypted string to your server. He can still login. To avoid this one you can encode the user IP & Geo location with the string. So if the system detect that it did not come from that user. Then it is tough luck.
 

HyperFilter

Member
Registered
Joined
Jan 23, 2017
Messages
25
Points
0
I believe this method is not possible because it is not secure and no one will put their username and password on the URL. I try to put parameters (username/password) on url with this way
Code:
example.com/index.php?username=username&password=mypassword
Is there a method to send username and password in a secure way with PHP? Can you confirm that it's not in fact possible to pass the user/pass via HTTP parameters (GET or POST) in PHP?
I'd be looking to use a bit of encryption and ajax+json to hide this... :)
 

iamgaurav

New member
Registered
Joined
Mar 4, 2017
Messages
13
Points
0
Out of curiosity why do you want the username/password to be sent via GET or POST? Sending the credentials via POST and having an SSL on the website is quite secure enough.
 
Recommended Threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top