php - The use of UrlEncodedFormEntity to send passwords

843

I was trying to send username and password over POST method in my android app. As I understand from the standard examples, we declare aUrlEncodedFormEntity object followed by ahttpPost.setEntity(urlEncodedFormEntity)

My question is that is it considered "safe" to send passwords via this method (assuming that there is an encryption available)?

This is as I have also read posts saying that one should not send passwords via the GET method, as it may be encoded into the URL string. If so, does theUrlEncodedFormEntity do the same thing? (By the wording URL encoded).

My networking knowledge is rather fuzzy and thanks all for the help.

509

Answer

Solution:

My question is that is it considered "safe" to send passwords via this method (assuming that there is an encryption available)?

Yes, if your URL is HTTPS and you do not connect if an untrusted certificate is presented.

This is as I have also read posts saying that one should not send passwords via the GET method, as it may be encoded into the URL string. If so, does the UrlEncodedFormEntity do the same thing?

No, the POST method sends the data in the message body unlike GET in which the data is transmitted in the URL. Even though both GET and POST data is encrypted if the URL is HTTPS, GET data in the query string is logged by default on load balancers, servers, corporate proxies, etc, so for this reason it is safer to use POST.

Answer

Solution:

UrlEncoded just changes a few characters that don't transmit correctly over http like : is changed to %3a it has nothing to do with encryption.

It would be safe if the URL to send the passwords to is HTTPS.

People are also looking for solutions to the problem: php - Joomla home page not appearing in root

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question