Is there a difference between sending a username/password in the query string or as a stream?

Question

Is there a difference, security wise, sending a username and password in the query string versus sending it as a complex object in the body of the POST?

I am using HTTPS.

Ex:

myservices.com/auth?username=myname&password=mypass

versus getting the Stream from the request and deserializing it to an object?

Since the method is POST and uses HTTPS, does it matter?

Answer 1

The way information is sent over HTTPS is of the form

"adaadnajdkbjkbdbk27y27672323gyu2gugsgjuguq2e2eh2t67878et27tshjdgjg32766t17te76tgeuyg1et617e67t281te8t128et71te56t1267e71dvdhj12d672d7f12fd712dgugvduv217df76127dr6217712d6721dr716rd671r672d"

irrespective of GET or POST method, the only difference is that your sensitive data will be exposed in the URL. I would not recommend using it because your browser history will store your sensitive data which can be extracted by hackers.

Answer 2

I'll add one thing to the previous answers. The URL can also very likely end up in server access logs. So sensitive information in a URL would get stored in plaintext in the server logs(instead of just encrypted/hashed in a db somewhere).

Answer 3

There is a huge difference. The query string is part of the URL. It is in the browser history and the address bar in plaintext. There are known attacks that can inspect a browser's history. Do not put sensitive data in a URL.