Are variables sent in a url over https secure?

Forum Moderators: coopster

Message Too Old, No Replies

Are variables sent in a url over https secure?

optik

3:58 pm on Jul 19, 2009 (gmt 0)

I want to allow access to an xml file from other servers by password only so the the request on the accessing server would be something like

[secure.domain.net...]

Would such a request ensure that the password sent in the url would be secure or could this be sniffed?

andrewsmd

2:16 pm on Jul 20, 2009 (gmt 0)

Anything can be sniffed, that is the point of encryption. You may want to look at some encryption with JS before you send the password. HTTPS is more secure than http, but it can still be hacked.

optik

6:02 pm on Jul 20, 2009 (gmt 0)

So are API's that use things like SOAP over https encrypting the data before sending?

andrewsmd

6:23 pm on Jul 20, 2009 (gmt 0)

Anything that is using https has the data encrypted before it is sent. That is the purpose of https. I misread your question earlier sorry. Why not pass that password in a session variable, then it would be encrypted through the https and should be able to serve what ever purpose you need it for. If you have to put it in the url, which I wouldn't recommend, then encrypt it with JS or something on the client side before you append it to the url.

optik

1:02 pm on Jul 22, 2009 (gmt 0)

The request will be coming from a different server so I can't use a session variable, I don't thinking the requesting site will have SSL so two sided encryption maybe the best solution.

optik

1:11 pm on Jul 22, 2009 (gmt 0)

Another question related to this is whether it is possible to fake the information coming from the server hosting the xml file.

For a different site I'm making I want to there to be an xml page hosted on site A and this is read by site B. The xml would hold user_id and account_active info, so that site B could give access to certain areas of it's site based on the info from site A's xml file. The idea would be that site b updated it's database using this info from the xml file on site A using a cronjob.

I can't really see any way of the users of site b being able to hack the request being made by the cronjob without some serious intervention going on, am I right on this or is this not a secure process?

andrewsmd

1:36 pm on Jul 22, 2009 (gmt 0)

It sounds pretty secure to me. As long as you are encrypting it when you send it over the internet, you should be fine. Will you be dealing with any financial or health information?

optik

2:18 pm on Jul 22, 2009 (gmt 0)

Well the information isn't valuable but must not be tampered with on route. Site A will be taking payments for subscriptions on behalf of site B. Site B will need to check the xml produced by site A to update it's own database with info on which user id's have paid for their subscription.

If the data was to be encrypted I would need my own algorithm to decode it wouldn't I?

andrewsmd

2:35 pm on Jul 22, 2009 (gmt 0)

I believe php has a mycrypt install for that. I've never used it though. You may want to look at that.