Is there a difference, security wise, sending a username and password in the query string versus sending it as a complex object in the body of the POST?
I am using HTTPS.
Ex:
myservices.com/auth?username=myname&password=mypass
versus getting the Stream from the request and deserializing it to an object?
Since the method is POST and uses HTTPS, does it matter?
There is a huge difference. The query string is part of the URL. It is in the browser history and the address bar in plaintext. There are known attacks that can inspect a browser's history. Do not put sensitive data in a URL.
I'll add one thing to the previous answers. The URL can also very likely end up in server access logs. So sensitive information in a URL would get stored in plaintext in the server logs(instead of just encrypted/hashed in a db somewhere).
The way information is sent over HTTPS is of the form
"adaadnajdkbjkbdbk27y27672323gyu2gugsgjuguq2e2eh2t67878et27tshjdgjg32766t17te76tgeuyg1et617e67t281te8t128et71te56t1267e71dvdhj12d672d7f12fd712dgugvduv217df76127dr6217712d6721dr716rd671r672d"
irrespective of GET or POST method, the only difference is that your sensitive data will be exposed in the URL. I would not recommend using it because your browser history will store your sensitive data which can be extracted by hackers.
