0

I have a login form with username and password. It works, but after the request I see on the web browser something like "...login?user=myUser&password=myPassword".

Given that the form has a password field that hides the password while it's typed, it would not be funny to see the password on the address bar.

Is it possible to avoid this?

The user verification is done on the server with a custom java web server.

michelemarcon
  • 23,277
  • 17
  • 52
  • 68
  • Without knowing what framework you're using on how you're interacting your http messages, we can only specify a generic answer. – Buhake Sindi Aug 22 '11 at 13:27
  • I'm using a custom web server, so there is no standard framework. I intercept the HTTP request and act accordingly. – michelemarcon Aug 23 '11 at 07:08

8 Answers8

7
  1. Set your HTTP form method to a POST, instead of a GET. This eliminates the form to append the parameters on the url.
  2. Secure your page to use HTTPS instead of HTTP. That way, an eavesdropper cannot read unencrypted HTTP POST message.
Buhake Sindi
  • 87,898
  • 29
  • 167
  • 228
  • 2
    +1 Point 2 is very important. Many think POST forms cannot be "seen", but this is true only for normal human eyes. – Nivas Aug 22 '11 at 13:27
1

The only way that this can be done is by not using the GET method of form submission. You need to use the POST method. More information can be found here http://www.cs.tut.fi/~jkorpela/forms/methods.html

Your form will look like this

    <form method="post" action="somepage.php">
    </form>
secretformula
  • 6,414
  • 3
  • 33
  • 56
1

Your form is using the GET not POST. Passing variables via a query-string in the URL (GET) can be dangerous as users can see and modify these values. Change your form's method to POST. In standard HTML this would look like:

 <form method="GET" action="......

...to...

<form method="POST" action=".....
ITCS
  • 11
  • 2
0

You can encode the password, which will obscure it.

However using a POST form instead will hide all its fields.

Peter Lawrey
  • 525,659
  • 79
  • 751
  • 1,130
0

Yes, use a POST request instead of GET.

dave
  • 12,406
  • 10
  • 42
  • 59
0

Convert your form to use the HTTP "POST" method instead of "GET", e.g.:

<form action="/login" method="post">

Also consider obscuring the password before it is transmitted, e.g. using a scheme such as Base64 or MD5.

maerics
  • 151,642
  • 46
  • 269
  • 291
0

Change the 'method' attribute on the form from "get" to "post" -- and send the request over HTTPS, preferably.

Andrey Butov
  • 2,279
  • 19
  • 27
0

When you see a "login?user=myUser&password=myPassword" in your address bar this means that your Login form is using the GET request method: 

   <form id="login" action="some_file" method="get">

The easiest way of hiding this info would be to change from GET to POST method:

   <form id="login" action="some_file" method="post">

You can read more about both of these methods here:

When to use POST and GET?

However, note that POST is not much safer than GET. You can read more about this here:

POST and GET in terms of Security

Community
  • 1
  • 1
GEMI
  • 2,239
  • 3
  • 20
  • 28