as long as you properly pass the values through, using either input fields, or via the querystring, you will have no problems.

-Matt

No, the query string will not be encrypted no matter what. The posted fields will be encrypted. So make sure that you use post, not get.

we recently did some serious sniffing on this scenario. Using post, as mentioned, the secure socket is established before any form data is sent.

a GET is encrypted under SSL, this is why every secure
host needs a separate ip.

it is true that the variables will be visible in the
address bar of the browser, but the entire request *is*
encrypted over the wire. the visibility of the
variables is an artifact local to the browser.

You are right. I didn't think it through entirely. When you do a request, the domain name is sent unencrypted to the DNS server so that it can resolve it into an IP address. However everything after the domain name / is put into GET line of the packet is SSL encrypted before it is sent over the wire. This is not unencrypted until it gets to the web site on the web server.

However, if you do use GET, realize that it will show up in the history list in the browser, and if the page is bookmarked, will have the username and password as plain text in the bookmark.

oh that's my fault... i didn't read the question properly. i just thought he couldn't post to an https. didn't realize he was wondering if the data itself was encrypted. sorry for the mis-info.

-Matt