[ilukas]

is it safe to pass info on the URL when you are using a SSL connection?

to be more specific: on my PHP script, i am authenticating users by their email addresses with a login script that POSTs back to itself.

when the script looks at the data and figures out it is a new user, it redirects the user to a secure form where s/he can register.

the line on the login script (note that $_POST[login] = email address entered at the login form):

if($customer=="new"):
header("Location: https://mysite.net/register.php?step...ter&email=$_POST[login]");

so, basically, is the info after ? in the url encrypted at all or is it passed as plain text?

for now i'm assuming it isn't, so is there any way to pass the email to the register form using POST while redirecting at the same time?

thanks

[Ludovic Hirlimann]

Originally posted by ilukas:
is it safe to pass info on the URL when you are using a SSL connection?

the line on the login script (note that $_POST[login] = email address entered at the login form):

if($customer=="new"):
header("Location: https://mysite.net/register.php?step...ter&email=$_POST[login]");

so, basically, is the info after ? in the url encrypted at all or is it passed as plain text?

for now i'm assuming it isn't, so is there any way to pass the email to the register form using POST while redirecting at the same time?

thanks

I don't think so ... But you can check with programs like tcpdump.

[clam2000]

post / get are probably the least secure way because people can change the info in the bar and login as others...

sessions are somewhat better, a good reference is at http://www.php.net/manual/en/ref.session.php


--will

[Millennium]

Originally posted by clam2000:
post / get are probably the least secure way because people can change the info in the bar and login as others...

You can't do that with post, at least not under ordinary circumstances. Someone truly determined could get around this by writing their own program (or using wget and doing it manually, for the truly masochistic), but it's not as wasy as Get.

Sessions are, as you say, better for this sort of thing. But you should know that they actually use the post method. It's just that rather than sending raw username and password data, they encode it into a session variable. That's how it's made more secure.

If you're doing this, though, and you want the ultimate in security, then definitely combine it with SSL. That will lock out some browsers, but not many; even Lynx supports SSL nowadays (if you get the proper build).