How can I prevent login information from appearing in the URL?

rodry has asked for the wisdom of the Perl Monks concerning the following question:

I have a simple login script that takes the login information from a form and authenticates the user. It works fine but I am concerned about the login information showing on the URL. Anyone looking at the users monitor can see the login/password combination.

Is there a way to "hide" this sensitive information in the URL?

Originally posted as a Categorized Question.

Comment on How can I prevent login information from appearing in the URL?

Replies are listed 'Best First'.
Re: How can I prevent login information from appearing in the URL? by turnstep (Parson) on Apr 15, 2000 at 21:01 UTC
Try using a POST and a cookie: once they log in through a POST request (which has no information in the URL), set a cookie with the login information. Then, on subsequent pages, you can still use simple HREF's to go to other scripts, and the login information will be sent via the browser, but not show in the URL. If you are not using cookies, just continue to use POST and throw the login information into a hidden form. A smart script would even figure out if you are using cookies and write the page with either normal HREF's or POST-HIDDEN-SUBMIT combos.	[reply]
Re: How can I prevent login information from appearing in the URL? by SmokeyB (Scribe) on Sep 27, 2002 at 20:18 UTC
To make it simple, just make sure your form method = post. `<form action="youscript.cgi" method='post'>` [download]	[reply] [d/l]
Re: How can I prevent login information from appearing in the URL? by cianoz (Friar) on Aug 26, 2000 at 13:38 UTC
I suggest using server side sessions since you have to exchange only a session ID with the client. (the session ID can be expired once the session terminates) the Session ID can be stored in a cookie (better) or in the url (only if the client doesn't support cookies) Apache::Session could be of some help: it takes care of generating session IDs, storing data etc... once the session is initialized you can use it as a normal hash. you can even store complex data structures since it uses Data::Dumper (it doesn't need mod_perl as the name would suggest)	[reply]
Re: How can I prevent login information from appearing in the URL? by athomason (Curate) on May 17, 2000 at 10:26 UTC
I would strongly recommended against sending any sensitive information via GET (i.e. in URLs), encrypted or not. While simple scrambling may do for over-the-shoulder password stealers, some small providers (e.g. companies, schools) log HTTP requests; an insidious sysadmin might try to piece together the original info. Granted, it's a longshot, but you gain both security and readability (read: typeability) of the URL by using POST. You can't give somebody the URL of a filled out POST form result, but that's not likely to be an issue when authentication is required anyhow. As the above posters mentioned, cookies may be a useful part of the system.	[reply]