I would strongly recommended against sending any sensitive information via GET (i.e. in URLs), encrypted or not. While simple scrambling may do for over-the-shoulder password stealers, some small providers (e.g. companies, schools) log HTTP requests; an insidious sysadmin might try to piece together the original info. Granted, it's a longshot, but you gain both security and readability (read: typeability) of the URL by using POST. You can't give somebody the URL of a filled out POST form result, but that's not likely to be an issue when authentication is required anyhow. As the above posters mentioned, cookies may be a useful part of the system.