Skip to content

Instantly share code, notes, and snippets.

@GUIEEN

GUIEEN/secure.md

Last active September 23, 2019 10:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save GUIEEN/ac8108dfd421d4552232a7907a734258 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save GUIEEN/ac8108dfd421d4552232a7907a734258 to your computer and use it in GitHub Desktop.
Download ZIP
How secure are query strings over https
Raw
secure.md

http://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

Problems of sending credentials in query

  1. URLs are stored in web server logs
  • typically the whole URL of each request is stored in a server log. This means that any sensitive data in the URL (e.g. a password) is being saved in clear text on the server. Here’s the entry that was stored in the httpwatch.com server log when a query string was used to send a password over HTTPS:
2009-02-20 10:18:27 W3SVC4326 WWW 208.101.31.210 GET /Default.htm password=mypassword 443 ...
  1. URLs are stored in the browser history
  • browsers save URL parameters in their history even if the secure pages themselves are not cached. Here’s the IE history displaying the URL
  • Query string parameters will also be stored if the user creates a bookmark.
  1. URLs are passed in Referrer headers
  • if a secure page uses resources, such as javascript, images or analytics services, the URL is passed in the Referrer request header of each embedded request. Sometimes the query string parameters may be delivered to and stored by third party sites. In HttpWatch you can see that our password query string parameter is being sent across to Google Analytics:

Solution

  • The solution to this problem requires two steps:

    • Only pass around sensitive data if absolutely necessary. Once a user is authenticated it is best to identify them with a session ID that has a limited lifetime.
    • Use non-persistent, session level cookies to hold session IDs and other private data.

  • The advantage of using session level cookies to carry this information is that:

    • They are not stored in the browsers history or on the disk
    • They are usually not stored in server logs
    • They are not passed to embedded resources such as images or javascript libraries
    • They only apply to the domain and path for which they were issued
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment