HTTPS, URL path, and query string

Question

This is a follow up post of my previous question about BASIC auth over HTTPS

Are the path to the resource and query string passed securely to the server if I use HTT

Answer 1

Yes it is - the entire session is secured and encryped so anything you send, including the query string is unreadable.

You can prove this to yourself, if you wish, by using something like Fiddler to view the http/https traffic you generate when you visit a secure url. Anything you send over HTTPS will not show the querystring, as shown here:

The actual URL I was visiting looked like this:

https://www.halifax-online.co.uk/_mem_bin/formslogin.asp?source=halifaxcouk&simigvis=

As per other answers, you shouldn't pass any sensitive information in the querystring as this may be stored in your webservers log files, so if you were passing a username/password combination anyone who could access your logs would be able to capture that information. This could allow someone to log into your site/application as if they were someone else even if you were making efforts such as storing passwords in your database as salted hashes, rather than plaintext.