Home/ Questions/Q 188119
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T15:56:52+00:00

If a user clicks on a button that does a post (lets say it

  • 0

If a user clicks on a button that does a post (lets say it has UserName and Password in the post) and those credentials get authenticated successfully. If I did a redirect to a completely different application (so I can’t carry session, etc) and I use a GET with the Username and Password in the querystring (I could even use basic encryption if that helps but regardless) and then when it gets to the page, I check to make sure it came from the page I expected it to come from, pull the values from the querystring, put them in a session variable and then do a redirect back to the same page (removing the querystring values so they can’t be viewed by user). This all happens over SSL on the same server.

Can someone point out the security holes of someone intercepting the UserName and Password in this scenario?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. If you are using SSL, noone can intercept the request. The problem is actually with the client itself. It’s not really a good idea to put username and passwords in a GET request (even encrypted), because:

    1. URL can be easily copied and pasted to someone else.
    2. If a user clicks an outside link, the URL will be sent as the referrer.
    3. XSS attacks can be used to hijack the URL.
    • 0