November 12th, 2013, 11:13 PM
User credentials passed via url?
Forgive my newb question as I am new to web development and am working on a prototype/proof-of-concept that will, hopefully, eventually get turned over to experienced web devs.
My situation is this:
I have a command line python script that I wrote that interfaces with an XML API provided by Adobe for one of their web applications - Adobe Connect (it's a virtual meeting service similar to WebEx, GotoMeeting, etc.).
I have a hosted version of Adobe Connect. The API in to it is via query string calls. In the API documentation they have many examples, including one for logging in a user from another program.
So in my python script I have the user enter their credentials, and then, following the API example from Adobe, I construct the proper XML API call, including the user's credentials (ID, PW) and then make the url/query string call. An example of this complete URL looks like this:
Here is a link to the Adobe Connect XML API documentation where the above example is discussed:
My question is simply this:
Passing user credentials via a URL seems very insecure to me and a bad idea. Right now, my code is simply a CLI script, but eventually once I have a handle on the Adobe Connect XML API, I want to re-create everything in a simple web app, where users can login to my app and transparently it logs them into the Adobe Connect app.
Am I correct in thinking that passing credentials via the query string is a bad idea? It is passed via https (vs http) - but I'm still not sure.