Log in

View Full Version : Passing userid/password via URL is this insecure?


jwocky
01-18-2007, 11:23 AM
Im writing a custom script that needs to pass a user's id and password to another sript outside of vbulletin, I had originally done this via a POST command but for technical reasons I may need to move it to a get method by putting the infomation into the URL (ie http://www.example.com/forum/myscript.php?id=321&pw=jkhs78892jsb729d)

My question is, is this a big security risk in anyway? I assume its the user himself that could see the url in the bar so its ok for him to see his own password, and its md5 hash'd anyways so he won't even understand it.

Thanks for any insight into this!

Marco van Herwaarden
01-18-2007, 11:27 AM
Yes that would be insecure. For example that same URL will be stored in the history on the users PC.

jwocky
01-18-2007, 11:48 AM
Ah true, didn't think of that. So then even with the Md5 hash if someone had access to my computer they could pull out my password from that link that was stored?

Also do you know another way to pass this data directly from a link in vbulletin? Im trying to pass this data to my outside forum, but the way i'm doing it is roundabout..

Link-->
PHP that will gather username/password put it into a form and POST it to -->
second PHP that will do my stuff

Using the insecure get method i can cut that down to 2 steps

Link (with info embedded into url) -->
Second PHP that will do my stuff

Is there another alternative that i'm missing that would be secure and be a 2 step process?

thanks!!

jap
01-18-2007, 01:56 PM
Personally I don't think this is possible without making your site and data very unsafe.
I don't think the security system of VB will accept this :s
(with the hashes and stuff that VB uses)